CVE-2022-24836
Inefficient regular expression vulnerability in nokogiri (RubyGems)
What is CVE-2022-24836 About?
Nokogiri versions prior to v1.13.4 contain an inefficient regular expression susceptible to excessive backtracking when detecting encoding in HTML documents. This can lead to a denial of service (DoS) by causing the application to consume excessive resources when processing specially crafted HTML. Exploitation is relatively straightforward by providing malicious input.
Affected Software
Technical Details
The vulnerability in Nokogiri < v1.13.4 stems from an inefficient regular expression (regex) used for HTML encoding detection, categorized as CWE-1333 (Inefficient Regular Expression Complexity). When the application attempts to process HTML documents containing specific patterns that trigger worst-case scenarios for this regex, it becomes susceptible to ' catastrophic backtracking'. This means the regex engine consumes an inordinate amount of CPU cycles and memory to evaluate the pattern, often exponentially, based on the input length. An attacker can craft a malicious HTML document designed to exacerbate this backtracking, causing the Nokogiri parser (and thus the application using it) to hang or crash dueating in a denial of service. The attack vector involves sending such a specially crafted HTML document to an application that processes it with vulnerable Nokogiri versions.
What is the Impact of CVE-2022-24836?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU and memory resources.
What is the Exploitability of CVE-2022-24836?
Exploitation of this vulnerability is of low to medium complexity. Prerequisites involve an application that accepts and processes untrusted HTML documents using a vulnerable version of Nokogiri. No authentication or elevated privileges are typically required, as an attacker usually only needs to submit the specially crafted HTML. This is a remote vulnerability, as the attacker can send the malicious HTML over the network. The primary risk factor is accepting and parsing untrusted HTML data without proper input validation or a patched Nokogiri version. The likelihood of exploitation increases in web applications that handle user-generated content or external documents.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24836?
Available Upgrade Options
- nokogiri
- <1.13.4 → Upgrade to 1.13.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
- https://support.apple.com/kb/HT213532
- https://support.apple.com/kb/HT213532
- https://lists.debian.org/debian-lts-announce/2024/09/msg00010.html
- https://github.com/sparklemotion/nokogiri
- https://osv.dev/vulnerability/GHSA-crjr-9rc5-ghw8
- https://nvd.nist.gov/vuln/detail/CVE-2022-24836
- https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
What are Similar Vulnerabilities to CVE-2022-24836?
Similar Vulnerabilities: CVE-2007-0097 , CVE-2012-5881 , CVE-2015-8272 , CVE-2017-2680 , CVE-2019-1000021
