PT-2022-7276 · Nekohtml+4 · Nekohtml+5

Published

2022-04-11

Updated

2026-03-13

CVE-2022-24839

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Nokogiri versions prior to 1.9.22.noko2

Description The issue is related to uncontrolled resource consumption when parsing ill-formed HTML markup, which can lead to a java.lang.OutOfMemoryError exception. This can be exploited by a remote attacker to cause a denial of service. The upstream library org.cyberneko.html is no longer maintained, and the vulnerability applies only to the fork used by Nokogiri, located at https://github.com/sparklemotion/nekohtml.

Recommendations Upgrade to version >= 1.9.22.noko2 to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable HTML parser until a patch is available. Avoid parsing ill-formed HTML markup to minimize the risk of exploitation.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2025_16880

ALT-PU-2022-2027

ALT-PU-2023-4266

ALT-PU-2024-7812

BDU:2024-01887

CVE-2022-24839

GHSA-9849-P7JC-9RMV

GHSA-GX8X-G87M-H5Q6

OESA-2022-1636

OPENSUSE-SU-2024:11999-1

OPENSUSE-SU-2024:13165-1

OPENSUSE-SU-2024:14174-1

OPENSUSE-SU-2025:14697-1

OPENSUSE-SU-2026:10356-1

Affected Products

Alt Linux

Debian

Jira

Jira Service Management Server

Nokogiri

Nekohtml

PT-2022-7276 · Nekohtml+4 · Nekohtml+5

CVE-2022-24839

Weakness Enumeration

Related Identifiers

Affected Products

References · 77