← back
CVE-2022-24836

Inefficient Regular Expression Complexity in Nokogiri

CVSS 7.5 HIGHEPSS 3.4%CWE-1333CWE-400
In short

Nokogiri versions before 1.13.4 have a poorly designed search pattern that can be exploited to freeze or crash applications when processing specially crafted HTML documents. Attackers can cause denial of service by sending HTML with encoding that triggers excessive processing.

Technical detail

CVE-2022-24836 involves ReDoS (Regular Expression Denial of Service) in Nokogiri's HTML encoding detection mechanism via inefficient regex backtracking (CWE-1333, CWE-400). The attack vector requires sending malformed HTML to an application using vulnerable Nokogiri versions; impact is application unavailability through CPU exhaustion.

Summary generated and translated by AI from the official description.
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
sparklemotion · nokogiri

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://seclists.org/fulldisclosure/2022/Dec/23https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfdhttps://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8https://lists.debian.org/debian-lts-announce/2022/05/msg00013.htmlhttps://lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/https://security.gentoo.org/glsa/202208-29https://support.apple.com/kb/HT213532