GHSA-c4rq-3m3g-8wgx
Inefficient Regular Expression Complexity vulnerability in nokogiri (RubyGems)

Inefficient Regular Expression Complexity No known exploit

What is GHSA-c4rq-3m3g-8wgx About?

Nokogiri's CSS selector tokenizer contains regular expressions that are vulnerable to exponential backtracking (ReDoS) when processing adversarial selectors. This can lead to a denial of service by consuming excessive CPU resources. Exploitation is possible if an attacker can inject user-supplied text into CSS selector parsing methods.

Affected Software

nokogiri <1.19.3

Technical Details

The vulnerability in Nokogiri's CSS selector tokenizer stems from the construction of several regular expressions that exhibit inefficient complexity (CWE-1333). Specifically, three vectors lead to ReDoS: string-literal tokenization with certain unterminated quoted-string input, string-literal tokenization with hex-escape-rich input, and identifier tokenization with hex-escape-rich input. When an attacker provides a specially crafted CSS selector containing these patterns, the regular expressions used in methods like Nokogiri::CSS.xpath_for, Node#css, Node#at_css, Searchable#search, and CSS::Parser#parse engage in exponential backtracking. This excessive computation consumes CPU cycles and memory, causing the application to become unresponsive and leading to a denial of service.

What is the Impact of GHSA-c4rq-3m3g-8wgx?

Successful exploitation may allow attackers to cause a denial of service by triggering exponential regex backtracking. This results in high CPU utilization and application unresponsiveness.

What is the Exploitability of GHSA-c4rq-3m3g-8wgx?

Exploiting this vulnerability has a low complexity. It requires an attacker to be able to inject user-supplied text into a CSS selector parsing method that eventually utilizes Nokogiri's internal tokenizer. No authentication or specific privileges are required, and the attack can be performed remotely if the vulnerable endpoint is exposed. The primary prerequisite is that the application does not validate or sanitize user-provided CSS selectors before passing them to Nokogiri. The risk is significantly higher in applications that dynamically generate CSS selectors based on untrusted user input, such as those allowing custom styling or complex search queries.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-c4rq-3m3g-8wgx?

Available Upgrade Options

  • nokogiri
    • <1.19.3 → Upgrade to 1.19.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-c4rq-3m3g-8wgx?

Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-41040 , CVE-2022-38709 , CVE-2022-26135 , CVE-2021-41908

All Rights reserved 2025
Privacy Policy