CVE-2025-6490: Heap-Based Buffer Overflow Vulnerability in Nokogiri (up to 1.18.7)

Nokogiri, a popular Ruby gem for parsing HTML, XML, and other markup formats, is affected by a heap-based buffer overflow vulnerability. This flaw could potentially allow a local attacker to cause a denial of service.

Vulnerability Details

• CVE ID: CVE-2025-6490
• Description: A heap-based buffer overflow vulnerability exists in sparklemotion nokogiri up to version 1.18.7. The vulnerability resides in the hashmap_set_with_hash function within the gumbo-parser/src/hashmap.c file. Manipulation of this function can lead to a buffer overflow on the heap.
• CVSS Score and Vector:
  • CVSS 3.1: 3.3 (Low) - AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVSS 4.0: 4.8 (Medium) - AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

  The CVSS score indicates a low severity vulnerability because it requires local access and low privileges. However, it could lead to a denial of service due to the availability impact (A:L).

• Exploit Requirements: Local access and low privileges are required to exploit this vulnerability.
• Affected Vendor, Product, Version: sparklemotion nokogiri up to version 1.18.7
• CWE:
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-122: Heap-based Buffer Overflow

  CWE-119 and CWE-122 both relate to vulnerabilities where a program writes beyond the boundaries of an allocated buffer, potentially corrupting data, crashing the application, or even executing arbitrary code.

Timeline of Events

• 2025-06-22: Vulnerability disclosed.
• 2025-06-22: Proof-of-concept exploit released.

Exploitability & Real-World Risk

While the vulnerability requires local access, it poses a risk in shared environments or systems where an attacker has already gained limited access. A successful exploit could lead to a denial of service, potentially disrupting applications that rely on Nokogiri for parsing.

Recommendations

• Upgrade Nokogiri: Upgrade to a version beyond 1.18.7, where this vulnerability is addressed.
• Monitor Systems: Monitor systems for unexpected crashes or errors in applications using Nokogiri.

Technical Insight

The vulnerability lies within the hashmap_set_with_hash function of the gumbo-parser, a dependency used by Nokogiri. The function improperly handles memory allocation, potentially writing data beyond the allocated buffer size. This overwrite can corrupt memory and lead to a crash.

Credit to Researcher(s)

Vulnerability reported via VulDB.

References

• Nokogiri Issue #3500
• Proof-of-Concept Exploit
• VulDB Entry
• VulDB ID
• VulDB Submit

Tags

Nokogiri, CVE-2025-6490, Heap-Based Buffer Overflow, Gumbo-Parser, Vulnerability, Security, Ruby, DoS

Summary: A heap-based buffer overflow vulnerability exists in Nokogiri up to version 1.18.7, affecting the `hashmap_set_with_hash` function within the gumbo-parser. This could allow a local attacker with low privileges to cause a denial of service by overflowing the heap buffer.

CVE ID: CVE-2025-6490

Risk Analysis: A successful exploit could result in a denial of service, impacting applications that rely on Nokogiri for parsing HTML, XML, and other markup formats. The risk is higher in shared environments.

Recommendation: Upgrade Nokogiri to a version beyond 1.18.7 to address the heap-based buffer overflow vulnerability.

Timeline

• 2025-06-22: Vulnerability disclosed

References

• https://github.com/sparklemotion/nokogiri/issues/3500
• https://github.com/user-attachments/files/19625432/nokogiri_crash.txt
• https://vuldb.com/?ctiid.313601
• https://vuldb.com/?id.313601
• https://vuldb.com/?submit.601005