CVE-2025-6494

Name of the Vulnerable Software and Affected Versions: sparklemotion nokogiri versions up to 1.18.7

Description: A vulnerability was found in sparklemotion nokogiri, affecting the function hashmap get with hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Recommendations: To fix this issue, apply the patch named ada4708e5a67114402cd3feb70a4e1d1d7cf773a. As a temporary workaround, consider disabling the hashmap get with hash function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the vulnerable function in the affected API endpoint until the issue is resolved.