CVE-2022-24839

Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)

CVSS 7.5 HIGHEPSS 2.0%CWE-400

In short

A vulnerability in the HTML parser used by Nokogiri allows attackers to crash applications by sending specially crafted malformed HTML that consumes excessive memory. This can be exploited to cause a denial of service.

Technical detail

The org.cyberneko.html parser (Nokogiri's fork) fails to properly limit resource consumption when processing malformed HTML, triggering an OutOfMemoryError. An attacker can send crafted HTML input to exhaust heap memory and crash the application; this is a classic uncontrolled resource consumption vulnerability affecting any application parsing untrusted HTML via vulnerable Nokogiri versions.

Summary generated and translated by AI from the official description.

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

sparklemotion · nekohtml

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv https://www.oracle.com/security-alerts/cpujul2022.html