File tree Expand file tree Collapse file tree 1 file changed +44
-0
lines changed Expand file tree Collapse file tree 1 file changed +44
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ gem : nokogiri
3+ ghsa : mrxw-mxhj-p664
4+ url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664
5+ title : Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs
6+ date : 2025-03-14
7+ description : |
8+ ## Summary
9+
10+ Nokogiri v1.18.4 upgrades its dependency libxslt to
11+ [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43).
12+
13+ libxslt v1.1.43 resolves:
14+
15+ - CVE-2025-24855: Fix use-after-free of XPath context node
16+ - CVE-2024-55549: Fix UAF related to excluded namespaces
17+
18+ ## Impact
19+
20+ ### CVE-2025-24855
21+
22+ - "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
23+ - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
24+ - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
25+ - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855
26+
27+ ### CVE-2024-55549
28+
29+ - "Use-after-free related to excluded result prefixes"
30+ - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
31+ - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
32+ - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549
33+ cvss_v3 : 7.8
34+ patched_versions :
35+ - " >= 1.18.4"
36+ related :
37+ url :
38+ - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664
39+ - https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
40+ - https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
41+ - https://github.com/advisories/GHSA-mrxw-mxhj-p664
42+ cve :
43+ - https://nvd.nist.gov/vuln/detail/CVE-2024-55549
44+ - https://nvd.nist.gov/vuln/detail/CVE-2025-24855
You can’t perform that action at this time.
0 commit comments