Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. nokogiri
  4. ›
  5. CVE-2022-29181

CVE-2022-29181: Nokogiri Improperly Handles Unexpected Data Type

May 23, 2022 (updated May 27, 2025)

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

References

  • github.com/advisories/GHSA-xh29-r2w5-wx8m
  • github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml
  • github.com/sparklemotion/nokogiri
  • github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7
  • github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
  • github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
  • github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
  • nvd.nist.gov/vuln/detail/CVE-2022-29181
  • security.gentoo.org/glsa/202208-29
  • securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri
  • support.apple.com/kb/HT213532

Code Behaviors & Features

Detect and mitigate CVE-2022-29181 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.13.6

Fixed versions

  • 1.13.6

Solution

Upgrade to version 1.13.6 or above.

Impact 8.2 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-241: Improper Handling of Unexpected Data Type
  • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

Source file

gem/nokogiri/CVE-2022-29181.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 30 Aug 2025 12:18:06 +0000.