Vulnerable Library - github-pages-193.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (github-pages version) |
Remediation Possible** |
| CVE-2024-22051 |
 Critical |
9.8 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| CVE-2021-28834 |
Critical |
9.8 |
kramdown-1.17.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2020-14001 |
Critical |
9.8 |
kramdown-1.17.0.gem |
Transitive |
N/A* |
❌ |
| WS-2022-0093 |
 High |
8.8 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| WS-2022-0089 |
High |
8.8 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2022-24724 |
High |
8.8 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| CVE-2021-30560 |
High |
8.8 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2025-6490 |
High |
8.4 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2022-29181 |
High |
8.2 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| WS-2023-0095 |
High |
7.5 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| WS-2022-0320 |
High |
7.5 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-35611 |
High |
7.5 |
addressable-2.8.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-33176 |
High |
7.5 |
activesupport-4.2.10.gem |
Transitive |
N/A* |
❌ |
| CVE-2024-34459 |
High |
7.5 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2023-22796 |
High |
7.5 |
activesupport-4.2.10.gem |
Transitive |
N/A* |
❌ |
| CVE-2022-31163 |
High |
7.5 |
tzinfo-1.2.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2022-24836 |
High |
7.5 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2018-25032 |
High |
7.5 |
nokogiri-1.12.5.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-25765 |
 Medium |
5.8 |
faraday-1.8.0.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-33169 |
Medium |
5.3 |
activesupport-4.2.10.gem |
Transitive |
N/A* |
❌ |
| CVE-2023-28120 |
Medium |
5.3 |
activesupport-4.2.10.gem |
Transitive |
N/A* |
❌ |
| CVE-2023-26485 |
Medium |
5.3 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| CVE-2023-24824 |
Medium |
5.3 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
| CVE-2026-33170 |
Medium |
4.3 |
activesupport-4.2.10.gem |
Transitive |
N/A* |
❌ |
| CVE-2023-22483 |
 Low |
3.5 |
commonmarker-0.17.13.gem |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2024-22051
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-commonmark-ghpages-0.1.5.gem
- ❌ commonmarker-0.17.13.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.
Publish Date: 2024-01-04
URL: CVE-2024-22051
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fmx4-26r3-wxpf
Release Date: 2024-01-04
Fix Resolution: commonmarker - 0.23.4
Step up your Open Source Security Game with Mend here
CVE-2021-28834
Vulnerable Library - kramdown-1.17.0.gem
kramdown is yet-another-markdown-parser but fast, pure Ruby,
using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/kramdown-1.17.0.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ kramdown-1.17.0.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-52p9-v744-mwjj
Release Date: 2021-03-19
Fix Resolution: kramdown - 2.3.1
Step up your Open Source Security Game with Mend here
CVE-2020-14001
Vulnerable Library - kramdown-1.17.0.gem
kramdown is yet-another-markdown-parser but fast, pure Ruby,
using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/kramdown-1.17.0.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ kramdown-1.17.0.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Publish Date: 2020-07-17
URL: CVE-2020-14001
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
Release Date: 2020-07-17
Fix Resolution: kramdown - 2.3.0
Step up your Open Source Security Game with Mend here
WS-2022-0093
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-commonmark-ghpages-0.1.5.gem
- ❌ commonmarker-0.17.13.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
commonmarker versions prior to 0.23.4 are vulnerable to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns.
The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.
Publish Date: 2026-05-14
URL: WS-2022-0093
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fmx4-26r3-wxpf
Release Date: 2022-02-03
Fix Resolution: commonmarker - 0.23.4,cmark-gfm-sys - no_fix,commonmarker - 0.23.4,comrak - 0.2.6,rb-commonmarker - no_fix,comrak - 0.6.2
Step up your Open Source Security Game with Mend here
WS-2022-0089
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Summary Nokogiri "v1.13.2" (https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to "v2.9.13" (https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - vendored libxslt from v1.1.34 to "v1.1.35" (https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) Those library versions address the following upstream CVEs: - libxslt: "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - libxml2: "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri "< 1.13.2", and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's "libxml2" and "libxslt" release announcements. Mitigation Upgrade to Nokogiri ">= 1.13.2". Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 ">= 2.9.13" and libxslt ">= 1.1.35", which will also address these same CVEs. Impact libxslt "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) - CVSS3 score: 8.8 (High) - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options "DTDVALID" set to true, and "NOENT" set to false. An analysis of these parse options: - While "NOENT" is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. - "DTDVALID" is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option "DTDVALID" when parsing untrusted documents is vulnerable and should be upgraded immediately.
Publish Date: 2026-05-14
URL: WS-2022-0089
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2024-12-05
Fix Resolution: nokogiri - v1.13.2
Step up your Open Source Security Game with Mend here
CVE-2022-24724
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-commonmark-ghpages-0.1.5.gem
- ❌ commonmarker-0.17.13.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing "table.c:row_from_string" may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where "cmark-gfm" is used. If "cmark-gfm" is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the "cmark-gfm" library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Publish Date: 2022-03-03
URL: CVE-2022-24724
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/RSEC-2023-7
Release Date: 2022-03-03
Fix Resolution: commonmark - 1.8
Step up your Open Source Security Game with Mend here
CVE-2021-30560
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Publish Date: 2021-08-03
URL: CVE-2021-30560
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-30560
Release Date: 2021-08-03
Fix Resolution: v1.1.35,libxslt - 1.1.35
Step up your Open Source Security Game with Mend here
CVE-2025-6490
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.
Publish Date: 2025-06-22
URL: CVE-2025-6490
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2022-29181
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a "String" by calling "#to_s" or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
Step up your Open Source Security Game with Mend here
WS-2023-0095
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-commonmark-ghpages-0.1.5.gem
- ❌ commonmarker-0.17.13.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Impact Several quadratic complexity bugs in commonmarker's underlying ""cmark-gfm"" (https://github.com/github/cmark-gfm) library may lead to unbounded resource exhaustion and subsequent denial of service. The following vulnerabilities were addressed: * "CVE-2023-24824" (GHSA-66g8-4hjf-77xh) * "CVE-2023-26485" (GHSA-r8vr-c48j-fcc5) For more information, consult the release notes for version ""0.23.0.gfm.10"" (https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.10) and ""0.23.0.gfm.11"" (https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.11). Mitigation Users are advised to upgrade to commonmarker version ""0.23.9"" (https://rubygems.org/gems/commonmarker/versions/0.23.9).
Publish Date: 2026-05-15
URL: WS-2023-0095
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-48wp-p9qv-4j64
Release Date: 2024-12-04
Fix Resolution: commonmarker - 0.23.9
Step up your Open Source Security Game with Mend here
WS-2022-0320
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-commonmark-ghpages-0.1.5.gem
- ❌ commonmarker-0.17.13.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Impact CommonMarker uses "cmark-gfm" for rendering "Github Flavored Markdown" (https://github.github.com/gfm/). A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Patches This vulnerability has been patched in the following CommonMarker release: - v0.23.6 Workarounds Disable use of the autolink extension. References gjtorikian/commonmarker#190 GHSA-cgh3-p57x-9q7q https://en.wikipedia.org/wiki/Time_complexity For more information If you have any questions or comments about this advisory: * Open an issue in "github/cmark-gfm" (https://github.com/github/cmark-gfm) Acknowledgements We would like to thank "Legit Security" (https://www.legitsecurity.com) for reporting this vulnerability.
Publish Date: 2026-05-15
URL: WS-2022-0320
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4qw4-jpp4-8gvp
Release Date: 2024-12-02
Fix Resolution: commonmarker - 0.23.6
Step up your Open Source Security Game with Mend here
CVE-2026-35611
Vulnerable Library - addressable-2.8.0.gem
Addressable is an alternative implementation to the URI implementation that is
part of Ruby's standard library. It is flexible, offers heuristic parsing, and
additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.8.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.8.0.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-avatar-0.6.0.gem
- jekyll-3.7.4.gem
- ❌ addressable-2.8.0.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Publish Date: 2026-04-07
URL: CVE-2026-35611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: https://github.com/sporkmonger/addressable.git - addressable-2.9.0
Step up your Open Source Security Game with Mend here
CVE-2026-33176
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ activesupport-4.2.10.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. "1e10000"), which "BigDecimal" expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33176
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.0.5,https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1
Step up your Open Source Security Game with Mend here
CVE-2024-34459
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.
Publish Date: 2024-05-13
URL: CVE-2024-34459
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2023-22796
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ activesupport-4.2.10.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Publish Date: 2023-02-09
URL: CVE-2023-22796
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-j6gc-792m-qgm2
Release Date: 2023-02-09
Fix Resolution: activesupport - 7.0.4.1,activesupport - 6.1.7.1
Step up your Open Source Security Game with Mend here
CVE-2022-31163
Vulnerable Library - tzinfo-1.2.5.gem
TZInfo provides daylight savings aware transformations between times in different time zones.
Library home page: https://rubygems.org/gems/tzinfo-1.2.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/tzinfo-1.2.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-mentions-1.4.1.gem
- html-pipeline-2.9.1.gem
- activesupport-4.2.10.gem
- ❌ tzinfo-1.2.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.
Publish Date: 2022-07-21
URL: CVE-2022-31163
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5cm2-9h8c-rvfx
Release Date: 2022-07-21
Fix Resolution: tzinfo - 0.3.61,tzinfo - 1.2.10
Step up your Open Source Security Game with Mend here
CVE-2022-24836
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.
Publish Date: 2022-04-11
URL: CVE-2022-24836
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
Step up your Open Source Security Game with Mend here
CVE-2018-25032
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ nokogiri-1.12.5.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2018-25032
Release Date: 2022-03-25
Fix Resolution: zlib - 1.2.12
Step up your Open Source Security Game with Mend here
CVE-2026-25765
Vulnerable Library - faraday-1.8.0.gem
Library home page: https://rubygems.org/gems/faraday-1.8.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/faraday-1.8.0.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- jekyll-theme-primer-0.5.3.gem
- jekyll-github-metadata-2.9.4.gem
- octokit-4.21.0.gem
- ❌ faraday-1.8.0.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
Step up your Open Source Security Game with Mend here
CVE-2026-33169
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ activesupport-4.2.10.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. "NumberToDelimitedConverter" uses a lookahead-based regular expression with "gsub!" to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and "gsub!" can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33169
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1
Step up your Open Source Security Game with Mend here
CVE-2023-28120
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
- github-pages-193.gem (Root Library)
- ❌ activesupport-4.2.10.gem (Vulnerable Library)
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
Publish Date: 2025-01-09
URL: CVE-2023-28120
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pj73-v5mw-pm9j
Release Date: 2025-01-09
Fix Resolution: activesupport - 6.1.7.3,activesupport - 7.0.4.3
Step up your Open Source Security Game with Mend here
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.
Publish Date: 2024-01-04
URL: CVE-2024-22051
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fmx4-26r3-wxpf
Release Date: 2024-01-04
Fix Resolution: commonmarker - 0.23.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - kramdown-1.17.0.gem
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/kramdown-1.17.0.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-52p9-v744-mwjj
Release Date: 2021-03-19
Fix Resolution: kramdown - 2.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - kramdown-1.17.0.gem
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/kramdown-1.17.0.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Publish Date: 2020-07-17
URL: CVE-2020-14001
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
Release Date: 2020-07-17
Fix Resolution: kramdown - 2.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
commonmarker versions prior to 0.23.4 are vulnerable to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns.
The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.
Publish Date: 2026-05-14
URL: WS-2022-0093
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fmx4-26r3-wxpf
Release Date: 2022-02-03
Fix Resolution: commonmarker - 0.23.4,cmark-gfm-sys - no_fix,commonmarker - 0.23.4,comrak - 0.2.6,rb-commonmarker - no_fix,comrak - 0.6.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Summary Nokogiri "v1.13.2" (https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to "v2.9.13" (https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - vendored libxslt from v1.1.34 to "v1.1.35" (https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) Those library versions address the following upstream CVEs: - libxslt: "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - libxml2: "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri "< 1.13.2", and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's "libxml2" and "libxslt" release announcements. Mitigation Upgrade to Nokogiri ">= 1.13.2". Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 ">= 2.9.13" and libxslt ">= 1.1.35", which will also address these same CVEs. Impact libxslt "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) - CVSS3 score: 8.8 (High) - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options "DTDVALID" set to true, and "NOENT" set to false. An analysis of these parse options: - While "NOENT" is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. - "DTDVALID" is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option "DTDVALID" when parsing untrusted documents is vulnerable and should be upgraded immediately.
Publish Date: 2026-05-14
URL: WS-2022-0089
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2024-12-05
Fix Resolution: nokogiri - v1.13.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing "table.c:row_from_string" may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where "cmark-gfm" is used. If "cmark-gfm" is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the "cmark-gfm" library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Publish Date: 2022-03-03
URL: CVE-2022-24724
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/RSEC-2023-7
Release Date: 2022-03-03
Fix Resolution: commonmark - 1.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Publish Date: 2021-08-03
URL: CVE-2021-30560
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-30560
Release Date: 2021-08-03
Fix Resolution: v1.1.35,libxslt - 1.1.35
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.
Publish Date: 2025-06-22
URL: CVE-2025-6490
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a "String" by calling "#to_s" or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Impact Several quadratic complexity bugs in commonmarker's underlying ""cmark-gfm"" (https://github.com/github/cmark-gfm) library may lead to unbounded resource exhaustion and subsequent denial of service. The following vulnerabilities were addressed: * "CVE-2023-24824" (GHSA-66g8-4hjf-77xh) * "CVE-2023-26485" (GHSA-r8vr-c48j-fcc5) For more information, consult the release notes for version ""0.23.0.gfm.10"" (https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.10) and ""0.23.0.gfm.11"" (https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.11). Mitigation Users are advised to upgrade to commonmarker version ""0.23.9"" (https://rubygems.org/gems/commonmarker/versions/0.23.9).
Publish Date: 2026-05-15
URL: WS-2023-0095
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-48wp-p9qv-4j64
Release Date: 2024-12-04
Fix Resolution: commonmarker - 0.23.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - commonmarker-0.17.13.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Impact CommonMarker uses "cmark-gfm" for rendering "Github Flavored Markdown" (https://github.github.com/gfm/). A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Patches This vulnerability has been patched in the following CommonMarker release: - v0.23.6 Workarounds Disable use of the autolink extension. References gjtorikian/commonmarker#190 GHSA-cgh3-p57x-9q7q https://en.wikipedia.org/wiki/Time_complexity For more information If you have any questions or comments about this advisory: * Open an issue in "github/cmark-gfm" (https://github.com/github/cmark-gfm) Acknowledgements We would like to thank "Legit Security" (https://www.legitsecurity.com) for reporting this vulnerability.
Publish Date: 2026-05-15
URL: WS-2022-0320
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4qw4-jpp4-8gvp
Release Date: 2024-12-02
Fix Resolution: commonmarker - 0.23.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - addressable-2.8.0.gem
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.8.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.8.0.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Publish Date: 2026-04-07
URL: CVE-2026-35611
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: https://github.com/sporkmonger/addressable.git - addressable-2.9.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. "1e10000"), which "BigDecimal" expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33176
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.0.5,https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.
Publish Date: 2024-05-13
URL: CVE-2024-34459
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Publish Date: 2023-02-09
URL: CVE-2023-22796
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j6gc-792m-qgm2
Release Date: 2023-02-09
Fix Resolution: activesupport - 7.0.4.1,activesupport - 6.1.7.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tzinfo-1.2.5.gem
TZInfo provides daylight savings aware transformations between times in different time zones.
Library home page: https://rubygems.org/gems/tzinfo-1.2.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/tzinfo-1.2.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with
requireon demand. In the affected versions,TZInfo::Timezone.getfails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later,TZInfo::Timezone.getcan be made to load unintended files withrequire, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix oftzinfo/definitionwithin a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing toTZInfo::Timezone.getby ensuring it matches the regular expression\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.Publish Date: 2022-07-21
URL: CVE-2022-31163
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5cm2-9h8c-rvfx
Release Date: 2022-07-21
Fix Resolution: tzinfo - 0.3.61,tzinfo - 1.2.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri
< v1.13.4contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri>= 1.13.4. There are no known workarounds for this issue.Publish Date: 2022-04-11
URL: CVE-2022-24836
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - nokogiri-1.12.5.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2018-25032
Release Date: 2022-03-25
Fix Resolution: zlib - 1.2.12
Step up your Open Source Security Game with Mend here
Vulnerable Library - faraday-1.8.0.gem
Library home page: https://rubygems.org/gems/faraday-1.8.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/faraday-1.8.0.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. "NumberToDelimitedConverter" uses a lookahead-based regular expression with "gsub!" to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and "gsub!" can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33169
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - activesupport-4.2.10.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem
Dependency Hierarchy:
Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf
Found in base branch: master
Vulnerability Details
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
Publish Date: 2025-01-09
URL: CVE-2023-28120
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pj73-v5mw-pm9j
Release Date: 2025-01-09
Fix Resolution: activesupport - 6.1.7.3,activesupport - 7.0.4.3
Step up your Open Source Security Game with Mend here