CVE-2022-29181 — Improper Handling of Unexpected Data Type in Nokogiri

CWE-241 — Improper Handling of Unexpected Data Type CWE-843 — Type Confusion9 documents7 sources

Severity

8.2HIGHNVD

OSV4.3

EPSS

4.2%

top 11.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sparklemotion Nokogiri Apple Macos Nokogiri +2 more

Timeline

PublishedMay 20

Latest updateJul 21

Description

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages6 packages

▶debiandebian/ruby-nokogiri< ruby-nokogiri 1.13.7+dfsg-1 (bookworm)

▶NVDnokogiri/nokogiri< 1.13.6

▶RubyGemsnokogiri/nokogiri< 1.13.6

▶CVEListV5sparklemotion/nokogiri< 1.13.6

▶NVDapple/macos13.0 — 13.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

ruby-nokogiri vulnerabilities↗2025-07-21

▶

GHSA

Nokogiri Improperly Handles Unexpected Data Type↗2022-05-23

▶

OSV

Nokogiri Improperly Handles Unexpected Data Type↗2022-05-23

▶

OSV

CVE-2022-29181: Nokogiri is an open source XML and HTML library for Ruby↗2022-05-20

▶

📋Vendor Advisories

Ubuntu

Nokogiri vulnerabilities↗2025-07-21

▶

Apple

CVE-2022-29181: macOS Ventura 13.1↗2022-12-13

▶

Red Hat

rubygem-nokogiri: Improper Handling of Unexpected Data Type in Nokogiri↗2022-05-19

▶

Debian

CVE-2022-29181: ruby-nokogiri - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to vers...↗2022

▶