Fluid Attacks Database

Description

org.nokogiri:nekohtml vulnerable to Uncontrolled Resource Consumption

Summary

The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.

Severity

The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

Mitigation

Upgrade to >= 1.9.22.noko2.

Credit

This vulnerability was reported by 이형관 (windshock).

References

CWE-400 Uncontrolled Resource Consumption

Notes

The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	nekohtml	>=0 <1.9.22.noko2-0.1	1.9.22.noko2-0.1
debian 11	nekohtml	=1.9.22-1.1 \|\| =1.9.22.noko2-0.1 \|\| =1.9.22.noko2-1	-
debian 12	nekohtml	>=0 <1.9.22.noko2-0.1	1.9.22.noko2-0.1
debian 14	nekohtml	>=0 <1.9.22.noko2-0.1	1.9.22.noko2-0.1
maven	org.nokogiri:nekohtml	>=0 <1.9.22.noko2	1.9.22.noko2

Aliases

1. CVE-2022-248392. NVD-2022-248393. OSV-DEBIAN-2022-248394. OSV-2022-248395. GHSA-9849-p7jc-9rmv6. GCVE-2022-248397. SECURITY-TRACKER-CVE-2022-24839

References

1. https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv2. https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d3. https://www.oracle.com/security-alerts/cpujul2022.html