How severe is GHSA-fq42-c5rg-92c2?

No CVSS score has been assigned to GHSA-fq42-c5rg-92c2 yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-fq42-c5rg-92c2?

GHSA-fq42-c5rg-92c2 affects the following packages: nokogiri (RubyGems). Ecosystems affected: RubyGems.

How do I fix GHSA-fq42-c5rg-92c2?

Update nokogiri to 1.13.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fq42-c5rg-92c2 is resolved across your whole dependency graph.

How do I detect GHSA-fq42-c5rg-92c2 in my RubyGems dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for nokogiri. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-fq42-c5rg-92c2 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-fq42-c5rg-92c2?

O3 pinpoints whether GHSA-fq42-c5rg-92c2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-fq42-c5rg-92c2 actively exploited in the wild?

No public exploit code has been indexed for GHSA-fq42-c5rg-92c2 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-fq42-c5rg-92c2 published, and has it been updated?

GHSA-fq42-c5rg-92c2 was published on February 25, 2022 and was last updated on December 5, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

💎 RubyGems

GHSA-fq42-c5rg-92c2

Vulnerable dependencies in Nokogiri

Published

Feb 25, 2022

Updated

Dec 5, 2024

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

💎nokogiri

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects RubyGems packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

vendored libxml2 from v2.9.12 to v2.9.13
vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

CVSS3 score: 8.8 (High)
Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.

An analysis of these parse options:

While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
💎RubyGems	`nokogiri`	all versions	1.13.2

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for nokogiri. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update nokogiri to 1.13.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fq42-c5rg-92c2 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-fq42-c5rg-92c2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-fq42-c5rg-92c2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) Those library versions address the following upstream CVEs: - libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022

O3 Security · Impact-Aware SCA

Is GHSA-fq42-c5rg-92c2 in your dependencies?

O3 detects GHSA-fq42-c5rg-92c2 across RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works