Skip to content

Commit 72e9c42

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@3e4a2ea 
1 parent c6ae4cb commit 72e9c42

File tree

1 file changed

+68
-0
lines changed

1 file changed

+68
-0
lines changed

advisories/_posts/2025-04-21-GHSA-5w6v-399v-w3cc.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-5w6v-399v-w3cc (nokogiri): Nokogiri updates packaged libxml2 to v2.13.8
4+
to resolve CVE-2025-32414 and CVE-2025-32415'
5+
comments: false
6+
categories:
7+
- nokogiri
8+
advisory:
9+
gem: nokogiri
10+
ghsa: 5w6v-399v-w3cc
11+
url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
12+
title: Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and
13+
CVE-2025-32415
14+
date: 2025-04-21
15+
description: |
16+
## Summary
17+
18+
Nokogiri v1.18.8 upgrades its dependency libxml2 to
19+
[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).
20+
21+
libxml2 v2.13.8 addresses:
22+
23+
- CVE-2025-32414
24+
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
25+
- CVE-2025-32415
26+
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
27+
28+
## Impact
29+
30+
### CVE-2025-32414: No impact
31+
32+
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds
33+
memory access can occur in the Python API (Python bindings) because
34+
of an incorrect return value. This occurs in xmlPythonFileRead and
35+
xmlPythonFileReadRaw because of a difference between bytes and characters.
36+
37+
**There is no impact** from this CVE for Nokogiri users.
38+
39+
### CVE-2025-32415: Low impact
40+
41+
In libxml2 before 2.13.8 and 2.14.x before 2.14.2,
42+
xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer
43+
under-read. To exploit this, a crafted XML document must be validated
44+
against an XML schema with certain identity constraints, or a
45+
crafted XML schema must be used.
46+
47+
In the upstream issue, further context is provided by the maintainer:
48+
49+
> The bug affects validation against untrusted XML Schemas (.xsd)
50+
> and validation of untrusted documents against trusted Schemas if
51+
> they make use of xsd:keyref in combination with recursively
52+
> defined types that have additional identity constraints.
53+
54+
MITRE has published a severity score of 2.9 LOW
55+
(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.
56+
patched_versions:
57+
- ">= 1.18.8"
58+
related:
59+
cve:
60+
- CVE-2025-32414
61+
- CVE-2025-32415
62+
url:
63+
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
64+
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8
65+
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
66+
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
67+
- https://github.com/advisories/GHSA-5w6v-399v-w3cc
68+
---

0 commit comments

Comments
 (0)