Fix CVE-2022-24836 in Nokogiri HIGH

Fix CVE-2022-24836 (ReDoS in CSS selector parsing) in Nokogiri for Ruby. Paste your Gemfile into PackageFix and get a patched version back — no CLI, no signup.

⚠ Vulnerability

CVE-2022-24836 — ReDoS in CSS selector parsing in Nokogiri. Update to 1.16.5 or later.

Vulnerable Version — Gemfile

gem 'nokogiri', '1.11.0'

Fixed Version — Gemfile

gem 'nokogiri', '1.16.5'

✓ Fix

Update to 1.16.5 and run bundle install to apply the fix.

Scan your dependencies now — paste your manifest, get a fixed version back in seconds.

Open PackageFix →

No signup · No CLI · No GitHub connection · Runs 100% in your browser

Frequently Asked Questions

What is CVE-2022-24836?

CVE-2022-24836 is a vulnerability in Nokogiri that allows ReDoS in CSS selector parsing. Update to version 1.16.5 or later to fix it.

Is CVE-2022-24836 on the CISA KEV catalog?

Check the live CISA KEV catalog at packagefix.dev — the catalog updates daily and PackageFix always reflects the current status.

How do I fix CVE-2022-24836 in Nokogiri?

Update Nokogiri to version 1.16.5 or later in your Gemfile. Run bundle install after updating.

Does CVE-2022-24836 affect all versions of Nokogiri?

Check the OSV advisory for the exact affected version range. PackageFix shows the minimum safe version for your installed version.