Platform
ruby
Component
nokogiri
Fixed in
1.7.1
CVE-2016-4658 is a critical use-after-free vulnerability affecting Nokogiri versions up to 1.7.0.1. This flaw, originating in libxml2, allows attackers to potentially execute arbitrary code or cause a denial of service by crafting malicious XML documents. The vulnerability was published in 2018 and a fix is available in Nokogiri 1.7.1.
The core of this vulnerability lies in how Nokogiri, which relies on libxml2 for XML parsing, handles XPointer ranges. libxml2, prior to version 2.9.5, fails to prevent namespace nodes within these ranges, creating a scenario where an attacker can manipulate the XML structure to trigger a use-after-free condition. This can lead to arbitrary code execution, granting an attacker complete control over the affected system. Alternatively, the memory corruption caused by the vulnerability can result in a denial of service, crashing the application or the entire system. The impact is particularly severe because Nokogiri is widely used in Ruby applications for parsing and manipulating XML data, making a broad range of systems potentially vulnerable.
CVE-2016-4658 gained significant attention due to its CRITICAL severity and potential for remote code execution. While no active exploitation campaigns have been publicly confirmed, the vulnerability's presence in a widely used library like Nokogiri makes it a high-priority target. It was added to the CISA KEV catalog, indicating a potential for exploitation. A public proof-of-concept was released, demonstrating the feasibility of exploiting the vulnerability.
Exploit Status
EPSS
18.10% (95% percentile)
CVSS Vector
The primary mitigation for CVE-2016-4658 is to upgrade Nokogiri to version 1.7.1 or later. This version incorporates the fix from libxml2 2.9.5, which properly handles namespace nodes in XPointer ranges. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to sanitize XML documents before parsing. Specifically, restrict the use of XPointer ranges and carefully validate the structure of XML documents. While not a complete solution, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, emphasizing the importance of patching.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-4658 is a critical vulnerability in Nokogiri versions up to 1.7.0.1 that allows for arbitrary code execution or denial of service through crafted XML documents due to a use-after-free condition in libxml2.
If you are using Nokogiri version 1.7.0.1 or earlier, you are vulnerable. Check your version with gem list nokogiri.
Upgrade Nokogiri to version 1.7.1 or later. This resolves the underlying libxml2 issue.
While no active campaigns are confirmed, the vulnerability's severity and widespread use of Nokogiri make it a potential target. It has been added to the CISA KEV catalog.
Refer to the Nokogiri project's release notes and security advisories on their GitHub repository: https://github.com/nokogiri/nokogiri/releases
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.