CVE-2022-24836 – Nokogiri versions before 1.13.4 contain an inef... (How to Fix)

Q: How do I fix CVE-2022-24836?

1. Update Gemfile to specify 'gem "nokogiri", ">= 1.13.4"' 2. Run 'bundle update nokogiri' 3. Restart your Ruby application 4. Verify the update with 'bundle show nokogiri'

Q: What is the severity of CVE-2022-24836?

CVE-2022-24836 has a CVSS score of 7.5 (HIGH). Nokogiri versions before 1.13.4 contain an inefficient regular expression that causes excessive backtracking when detecting encoding in HTML documents. This vulnerability allows attackers to cause denial of service through resource exhaustion. All Ruby applications using vulnerable Nokogiri versions are affected.

📋 TL;DR

Nokogiri versions before 1.13.4 contain an inefficient regular expression that causes excessive backtracking when detecting encoding in HTML documents. This vulnerability allows attackers to cause denial of service through resource exhaustion. All Ruby applications using vulnerable Nokogiri versions are affected.

💻 Affected Systems

Products:

Nokogiri Ruby gem

Versions: All versions < 1.13.4

Operating Systems: All operating systems running Ruby with Nokogiri

Default Config Vulnerable: ⚠️ Yes

Notes: Any Ruby application using Nokogiri to parse HTML documents is vulnerable regardless of configuration.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Nokogiri by Nokogiri

View all CVEs affecting Nokogiri →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from processing malicious HTML documents, potentially leading to extended downtime.

🟠

Likely Case

Degraded performance or temporary service disruption when processing specially crafted HTML input.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits, though vulnerability remains present.

🌐 Internet-Facing: HIGH - Attackers can send malicious HTML documents to internet-facing endpoints using Nokogiri.

🏢 Internal Only: MEDIUM - Internal systems processing untrusted HTML content remain vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTML documents to endpoints that process them with Nokogiri. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13.4 and later

Vendor Advisory: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "nokogiri", ">= 1.13.4"' 2. Run 'bundle update nokogiri' 3. Restart your Ruby application 4. Verify the update with 'bundle show nokogiri'

🔧 Temporary Workarounds

No known workarounds

all

The vulnerability is in the core encoding detection logic and cannot be bypassed without patching.

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize HTML documents before Nokogiri processing
Deploy rate limiting and request timeouts to mitigate denial of service impact

🔍 How to Verify

Check if Vulnerable:

Run 'bundle show nokogiri' and check if version is below 1.13.4

Check Version:

bundle show nokogiri | grep -o 'nokogiri.*'

Verify Fix Applied:

Run 'bundle show nokogiri' and confirm version is 1.13.4 or higher

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for HTML parsing
High CPU usage spikes in Ruby processes
Request timeouts on endpoints processing HTML

Network Indicators:

Multiple large HTML document uploads to endpoints
Repeated requests with similar HTML payloads

SIEM Query:

source="application.log" AND ("nokogiri" OR "html parsing") AND (duration>10s OR "timeout" OR "CPU high")

📊 Metadata

CVE ID: CVE-2022-24836

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 11, 2022

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2022/Dec/23 Mailing List,Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd Patch,Third Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
https://security.gentoo.org/glsa/202208-29 Third Party Advisory
https://support.apple.com/kb/HT213532 Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/23 Mailing List,Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd Patch,Third Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00010.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
https://security.gentoo.org/glsa/202208-29 Third Party Advisory
https://support.apple.com/kb/HT213532 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24836, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Macos by Apple

Nokogiri by Nokogiri

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

No known workarounds

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities