Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

Severity: High
Type: CWE-787 Out of bounds write
Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Published: Apr 11, 2022
Updated: Apr 14, 2023
GHSA: GHSA-v6gp-9mmm-c6p5
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
nokogiri	-	1.13.4

Vulnerability Database

Out-of-bounds Write in zlib affects Nokogiri

Summary

Mitigation

Impact

CVE-2018-25032 in zlib

Deep Security Visibility Without the Complexity