CVE-2022-24836 — Nokogiri ReDoS HIGH
🔴 CISA KEV
ruby
CVSS 7.5 · nokogiri < 1.13.4 → 1.16.5
Nokogiri's CSS selector parser is vulnerable to catastrophic regex backtracking via crafted CSS selector strings. Any Ruby application that accepts user-controlled CSS selectors and passes them to Nokogiri is vulnerable to denial of service.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| nokogiri | ruby | < 1.13.4 | 1.16.5 | Full fix guide → |
How to fix CVE-2022-24836
- Update nokogiri to 1.13.4 or later (1.16.5 recommended)
- Run bundle install
- Avoid accepting user-controlled CSS selectors
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2022-24836 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is Nokogiri used for?
Nokogiri is a Ruby gem for parsing HTML and XML. It's widely used in Rails applications for HTML sanitization, web scraping, and document processing.
Does this affect rails-html-sanitizer?
Yes — rails-html-sanitizer depends on Nokogiri. Rails applications using html_sanitize with user input are indirectly affected. Update Nokogiri.
How do I check my Nokogiri version?
Run bundle exec nokogiri --version, or paste your Gemfile into PackageFix to get the current version and CVE status.