Skip to content

chromedriver-helper-2.1.1.gem: 20 vulnerabilities (highest severity is: 8.8) #41

Description

@mend-for-github-com
Vulnerable Library - chromedriver-helper-2.1.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (chromedriver-helper version) Remediation Possible** Reachability
WS-2022-0089 High 8.8 Not Defined nokogiri-1.10.8.gem Transitive N/A*
CVE-2021-3518 High 8.8 Not Defined 3.653% nokogiri-1.10.8.gem Transitive N/A*
CVE-2021-30560 High 8.8 Not Defined 21.623% nokogiri-1.10.8.gem Transitive N/A*
CVE-2021-3517 High 8.6 Not Defined 8.28% nokogiri-1.10.8.gem Transitive N/A*
CVE-2022-29181 High 8.2 Not Defined 3.078% nokogiri-1.10.8.gem Transitive N/A*
CVE-2024-34459 High 7.5 Not Defined 2.298% nokogiri-1.10.8.gem Transitive N/A*
CVE-2022-24836 High 7.5 Not Defined 3.549% nokogiri-1.10.8.gem Transitive N/A*
CVE-2021-41098 High 7.5 Not Defined 1.374% nokogiri-1.10.8.gem Transitive N/A*
CVE-2018-25032 High 7.5 Not Defined 52.063% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57235 Medium 6.5 Not Defined 0.331% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57438 Medium 6.2 Not Defined 0.093% nokogiri-1.10.8.gem Transitive N/A*
CVE-2021-3537 Medium 5.9 Not Defined 3.503% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57437 Medium 5.3 Not Defined 0.312% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57436 Medium 5.3 Not Defined 0.312% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57435 Medium 5.3 Not Defined 0.357% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57434 Medium 5.3 Not Defined 0.357% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57236 Medium 5.3 Not Defined 0.331% nokogiri-1.10.8.gem Transitive N/A*
CVE-2025-6490 Low 3.3 Proof of concept 0.152% nokogiri-1.10.8.gem Transitive N/A*
CVE-2026-57234 Low 2.6 Not Defined 0.166% nokogiri-1.10.8.gem Transitive N/A*
CVE-2020-26247 Low 2.6 Not Defined 1.109% nokogiri-1.10.8.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2022-0089

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Summary Nokogiri "v1.13.2" (https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to "v2.9.13" (https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - vendored libxslt from v1.1.34 to "v1.1.35" (https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) Those library versions address the following upstream CVEs: - libxslt: "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - libxml2: "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri "< 1.13.2", and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's "libxml2" and "libxslt" release announcements. Mitigation Upgrade to Nokogiri ">= 1.13.2". Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 ">= 2.9.13" and libxslt ">= 1.1.35", which will also address these same CVEs. Impact libxslt "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) - CVSS3 score: 8.8 (High) - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options "DTDVALID" set to true, and "NOENT" set to false. An analysis of these parse options: - While "NOENT" is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. - "DTDVALID" is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option "DTDVALID" when parsing untrusted documents is vulnerable and should be upgraded immediately.

Publish Date: 2026-05-28

URL: WS-2022-0089

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2024-12-05

Fix Resolution: nokogiri - v1.13.2

CVE-2021-3518

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Publish Date: 2021-05-18

URL: CVE-2021-3518

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.653%

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-3518

Release Date: 2021-05-18

Fix Resolution: libxml2 - 2.9.12

CVE-2021-30560

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Publish Date: 2021-08-03

URL: CVE-2021-30560

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 21.623%

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-30560

Release Date: 2021-08-03

Fix Resolution: v1.1.35,libxslt - 1.1.35

CVE-2021-3517

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Publish Date: 2021-05-19

URL: CVE-2021-3517

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 8.28%

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-3517

Release Date: 2021-05-19

Fix Resolution: libxml2 - 2.9.12

CVE-2022-29181

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a "String" by calling "#to_s" or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.078%

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

CVE-2024-34459

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.

Publish Date: 2024-05-13

URL: CVE-2024-34459

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.298%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2022-24836

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.549%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

CVE-2021-41098

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.374%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

CVE-2018-25032

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Publish Date: 2022-03-25

URL: CVE-2018-25032

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 52.063%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2018-25032

Release Date: 2022-03-25

Fix Resolution: zlib - 1.2.12

CVE-2026-57235

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57235

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.331%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5prr-v3j2-97mh

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2026-57438

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each "xi:include" (xi:include) in place, freeing the include node along with its children (such as "xi:fallback" (xi:fallback) and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-06-25

URL: CVE-2026-57438

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.093%

CVSS 3 Score Details (6.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wfpw-mmfh-qq69

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2021-3537

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Publish Date: 2021-05-14

URL: CVE-2021-3537

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.503%

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-3537

Release Date: 2021-05-14

Fix Resolution: libxml2 - 2.9.12

CVE-2026-57437

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57437

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.312%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p67v-3w7g-wjg7

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2026-57436

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57436

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.312%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wjv4-x9w8-wm3h

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2026-57435

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57435

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.357%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-phwj-rprq-35pp

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2026-57434

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57434

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.357%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9cv2-cfxc-v4v2

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2026-57236

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57236

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.331%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v8h-3h3q-446p

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2025-6490

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.

Publish Date: 2025-06-22

URL: CVE-2025-6490

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.152%

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2026-57234

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

Publish Date: 2026-06-25

URL: CVE-2026-57234

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.166%

CVSS 3 Score Details (2.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8678-w3jw-xfc2

Release Date: 2026-06-25

Fix Resolution: nokogiri - 1.19.4

CVE-2020-26247

Vulnerable Library - nokogiri-1.10.8.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem

Dependency Hierarchy:

  • chromedriver-helper-2.1.1.gem (Root Library)
    • nokogiri-1.10.8.gem (Vulnerable Library)

Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Publish Date: 2020-12-30

URL: CVE-2020-26247

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.109%

CVSS 3 Score Details (2.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-30

Fix Resolution: 1.11.0.rc4

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions