CVE-2022-24839
Aliases:GHSA-9849-p7jc-9rmv
Advisory lineage Upstream: 0 Downstream: 7
Modified
Published: 11 Apr 2022, 21:25
Last modified:23 Apr 2025, 18:40
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.45% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
11 Apr 2022, 21:25
Published
Vulnerability first disclosed
23 Apr 2025, 18:40
Last Modified
Vulnerability information updated
Description
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.45%• Percentile: 64%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- org.nokogiri•nekohtml
< 1.9.22.noko2
- nekohtml_project•nekohtml
< 1.9.22.noko2
- Unknown•WebLogic Server
12.2.1.3.0 | 12.2.1.4.0 | 14.1.1.0.0
- sparklemotion•nekohtml
< 1.9.22.noko2
References (5)
- https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
- https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-24839
- https://github.com/sparklemotion/nekohtml