Nokogiri v1.13.4
updates the vendored org.cyberneko.html
library to 1.9.22.noko2
which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).
See GHSA-9849-p7jc-9rmv for more information.
Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4
.
Upgrade to Nokogiri >= 1.13.4
.
org.cyberneko.html
used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError
exception when parsing ill-formed HTML markup.github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
github.com/sparklemotion/nokogiri
github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6
groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
nvd.nist.gov/vuln/detail/CVE-2022-24839