PT-2019-4784 · Rexical+4 · Rexical+4

Katsuhiko Yoshida

Published

2019-08-16

Updated

2026-03-13

CVE-2019-5477

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nokogiri versions 1.10.3 and earlier Rexical versions 1.0.6 and earlier

Description A command injection issue allows commands to be executed in a subprocess via Ruby's Kernel.open method. This occurs when the undocumented method Nokogiri::CSS::Tokenizer#load file is called with unsafe user input as the filename. The vulnerability is related to the Rexical gem, which is used by Nokogiri to generate lexical scanner code for parsing CSS queries.

Recommendations For Nokogiri versions 1.10.3 and earlier, update to Nokogiri v1.10.4 or later, which includes the upgraded Rexical version that addresses the underlying vulnerability. For Rexical versions 1.0.6 and earlier, update to Rexical v1.0.7 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Nokogiri::CSS::Tokenizer#load file method with user-inputted filenames until a patch is applied.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2020-01362

CVE-2019-5477

DLA-1933-1

DLA-3149-1

DLA-3150-1

GHSA-CR5J-953J-XW5P

MGASA-2021-0063

OPENSUSE-SU-2021:0237-1

OPENSUSE-SU-2021_0237-1

OPENSUSE-SU-2024:11340-1

OPENSUSE-SU-2024:11912-1

OPENSUSE-SU-2024:13165-1

OPENSUSE-SU-2024:14174-1

OPENSUSE-SU-2025:14697-1

OPENSUSE-SU-2026:10356-1

SUSE-SU-2019:2671-1

SUSE-SU-2019:2867-1

SUSE-SU-2021:0210-1

SUSE-SU-2021:0251-1

SUSE-SU-2021_0251-1

USN-4175-1

Affected Products

Astra Linux

Nokogiri

Rexical

Suse

Ubuntu

PT-2019-4784 · Rexical+4 · Rexical+4

CVE-2019-5477

Weakness Enumeration

Related Identifiers

Affected Products

References · 195