GHSA-5prr-v3j2-97mh
ADVISORY - githubSummary
Summary
Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node.
Nokogiri 1.19.4 performs the bounds check against the full-width index.
Severity
The Nokogiri maintainers have evaluated this as medium severity.
Exploitation requires an application to pass an attacker-controlled integer to NodeSet#[]. The primary impact is a controlled crash (denial of service), with potential for memory disclosure on CRuby.
On JRuby, Nokogiri is not affected by this vulnerability.
Mitigation
Upgrade to Nokogiri 1.19.4 or later.
As a workaround, applications that index a NodeSet with externally-supplied integers can validate the index against node_set.length before use, or avoid passing untrusted values as an index.
Credit
This issue was responsibly reported by Zheng Yu from depthfirst.com.
GitHub
CVSS SCORE
6.3mediumChainguard
CGA-4938-957r-f3x8
-
minimos
MINI-32f7-rfj3-qcvh
-
minimos
MINI-4852-846w-pgp3
-
minimos
MINI-55gm-276w-67c9
-
minimos
MINI-74xp-873q-gmph
-
minimos
MINI-hj4p-f65j-r6jm
-
minimos
MINI-mfv2-vvw3-x2pv
-
minimos
MINI-mv8h-68pp-vcj5
-