|
| 1 | +--- |
| 2 | +gem: nokogiri |
| 3 | +ghsa: 5w6v-399v-w3cc |
| 4 | +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc |
| 5 | +title: Nokogiri updates packaged libxml2 to v2.13.8 to resolve |
| 6 | + CVE-2025-32414 and CVE-2025-32415 |
| 7 | +date: 2025-04-21 |
| 8 | +description: | |
| 9 | + ## Summary |
| 10 | +
|
| 11 | + Nokogiri v1.18.8 upgrades its dependency libxml2 to |
| 12 | + [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8). |
| 13 | +
|
| 14 | + libxml2 v2.13.8 addresses: |
| 15 | +
|
| 16 | + - CVE-2025-32414 |
| 17 | + - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 |
| 18 | + - CVE-2025-32415 |
| 19 | + - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 |
| 20 | +
|
| 21 | + ## Impact |
| 22 | +
|
| 23 | + ### CVE-2025-32414: No impact |
| 24 | +
|
| 25 | + In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds |
| 26 | + memory access can occur in the Python API (Python bindings) because |
| 27 | + of an incorrect return value. This occurs in xmlPythonFileRead and |
| 28 | + xmlPythonFileReadRaw because of a difference between bytes and characters. |
| 29 | +
|
| 30 | + **There is no impact** from this CVE for Nokogiri users. |
| 31 | +
|
| 32 | + ### CVE-2025-32415: Low impact |
| 33 | +
|
| 34 | + In libxml2 before 2.13.8 and 2.14.x before 2.14.2, |
| 35 | + xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer |
| 36 | + under-read. To exploit this, a crafted XML document must be validated |
| 37 | + against an XML schema with certain identity constraints, or a |
| 38 | + crafted XML schema must be used. |
| 39 | +
|
| 40 | + In the upstream issue, further context is provided by the maintainer: |
| 41 | +
|
| 42 | + > The bug affects validation against untrusted XML Schemas (.xsd) |
| 43 | + > and validation of untrusted documents against trusted Schemas if |
| 44 | + > they make use of xsd:keyref in combination with recursively |
| 45 | + > defined types that have additional identity constraints. |
| 46 | +
|
| 47 | + MITRE has published a severity score of 2.9 LOW |
| 48 | + (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE. |
| 49 | +patched_versions: |
| 50 | + - ">= 1.18.8" |
| 51 | +related: |
| 52 | + cve: |
| 53 | + - CVE-2025-32414 |
| 54 | + - CVE-2025-32415 |
| 55 | + url: |
| 56 | + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc |
| 57 | + - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8 |
| 58 | + - https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 |
| 59 | + - https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 |
| 60 | + - https://github.com/advisories/GHSA-5w6v-399v-w3cc |
0 commit comments