Nokogiri

This hub aggregates every CVE we track for Nokogiri, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Nokogiri.

• CVE-2025-6494sparklemotion nokogiri hashmap.c hashmap_get_with_hash heap-based overflow3.3Jun 22, 2025
• CVE-2025-6490sparklemotion nokogiri hashmap.c hashmap_set_with_hash heap-based overflow3.3Jun 22, 2025
• CVE-2022-23476Unchecked return value from xmlTextReaderExpand in Nokogiri7.5Dec 8, 2022
• CVE-2022-29181Improper Handling of Unexpected Data Type in Nokogiri8.2May 20, 2022
• CVE-2022-24836Inefficient Regular Expression Complexity in Nokogiri7.5Apr 11, 2022
• CVE-2018-25032zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.7.5Mar 25, 2022
• CVE-2021-41098Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby7.5Sep 27, 2021
• CVE-2021-30560Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.8.8Aug 3, 2021
• CVE-2021-3517There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the aff...8.6May 19, 2021
• CVE-2021-3518There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The great...8.8May 18, 2021
• CVE-2021-3537A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parse...5.9May 14, 2021
• CVE-2020-26247XXE in Nokogiri2.6Dec 30, 2020
• CVE-2012-6685Nokogiri before 1.5.4 is vulnerable to XXE attacks7.5Feb 19, 2020
• CVE-2020-7595xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.7.5Jan 21, 2020
• CVE-2019-5815Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.7.5Dec 11, 2019