A security advisory (GHSA-c4rq-3m3g-8wgx) has been published for the Nokogiri Ruby gem, disclosing three ReDoS (Regular Expression Denial of Service) vulnerabilities in its CSS selector tokenizer. Adversarial input to CSS selector methods like `Node#css`, `Node#at_css`, and `Nokogiri::CSS.xpath_for` can trigger exponential regex backtracking, potentially causing denial of service. The fix is available in Nokogiri >= 1.19.3. Mitigations for those unable to upgrade include avoiding attacker-controlled input in CSS selectors or setting `Regexp.timeout` in Ruby 3.2+/JRuby 9.4+. Severity is rated High (CVSS 7.5).
Sort: