PT-2022-7289 · Nokogiri+6 · Nokogiri+6

Agustin Gianni

Published

2022-05-20

Updated

2026-03-13

CVE-2022-29181

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:C

Name of the Vulnerable Software and Affected Versions Nokogiri versions prior to 1.13.6

Description The issue is related to the incorrect handling of unexpected data types in the Nokogiri library for Ruby. This can allow a remote attacker to disclose protected information or cause a denial of service. The library does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors or reads from unrelated memory.

Recommendations For versions prior to 1.13.6, upgrade to Nokogiri version 1.13.6 or later. As a temporary workaround, ensure the untrusted input is a String by calling #to s or equivalent.

Exploit

Fix

DoS

Type Confusion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-843CWE-241

Related Identifiers

BDU:2024-02313

CVE-2022-29181

GHSA-XH29-R2W5-WX8M

MGASA-2022-0200

OPENSUSE-SU-2022_4015-1

OPENSUSE-SU-2022_4016-1

OPENSUSE-SU-2024:12085-1

OPENSUSE-SU-2024:13165-1

OPENSUSE-SU-2024:14174-1

OPENSUSE-SU-2025:14697-1

OPENSUSE-SU-2026:10356-1

RHSA-2022:8506

SUSE-SU-2022:3890-1

SUSE-SU-2022:4015-1

SUSE-SU-2022:4016-1

USN-7659-1

Affected Products

Debian

Linuxmint

Apple Macos

Nokogiri

Red Os

Suse

Ubuntu

PT-2022-7289 · Nokogiri+6 · Nokogiri+6

CVE-2022-29181

Weakness Enumeration

Related Identifiers

Affected Products

References · 97