All Nokogiri CVEs — Complete Vulnerability History
Nokogiri is the most-used Ruby XML/HTML parser. It wraps libxml2 and libxslt, which means its CVE history often reflects upstream C library vulnerabilities. Updates are frequent and important, especially for apps parsing untrusted HTML.
Ruby
8M+ weekly downloads
6 CVEs total
2 CRITICAL
CVE history — all 6 known vulnerabilities
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-5477 | 2019 | CRITICAL | Command injection via Nokogiri.parse on crafted HTML | Fixed in 1.10.4 |
| CVE-2020-26247 | 2020 | MEDIUM | XXE in Nokogiri::XML::Schema when parsing schema | Fixed in 1.11.0 |
| CVE-2021-3518 | 2021 | HIGH | Use after free in libxml2 XInclude processing | Fixed in 1.11.4 |
| CVE-2022-23437 | 2022 | HIGH | DoS in XML Schema validation via libxml2 | Fixed in 1.13.2 |
| CVE-2022-24836 | 2022 | CRITICAL | ReDoS in CSS selector parsing — CVSS 9.8 | Fixed in 1.13.4 |
| CVE-2023-36617 | 2023 | HIGH | ReDoS via specially crafted CSS selector | Fixed in 1.15.4 |
Current safe version
✓ Update to 1.16.5
The latest safe version addresses all 6 known CVEs listed above.
Before and after
Vulnerable:
gem 'nokogiri', '1.11.0'
Fixed:
gem 'nokogiri', '1.16.5'
Then run: bundle install
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why does Nokogiri have so many CVEs?
Nokogiri wraps libxml2 and libxslt, two C libraries with long CVE histories. When these upstream libraries have vulnerabilities, Nokogiri inherits them. The Nokogiri team ships vendored versions of these libraries and keeps them patched, but it means frequent updates are necessary.
Does Nokogiri's CVE history affect Rails apps?
Yes — rails-html-sanitizer (used by ActionView for HTML sanitization) depends on Nokogiri. ReDoS in Nokogiri's CSS selector parsing can be triggered by crafted user input passed to the sanitizer. Keep Nokogiri updated in all Rails apps.
What's the difference between Nokogiri's system libxml2 and vendored libxml2?
By default, Nokogiri ships with a vendored (bundled) version of libxml2, which the team keeps patched. If you build Nokogiri with --use-system-libraries, you use the system libxml2, which may be older and unpatched. The vendored version is safer.
How do I check which Nokogiri version a gem requires?
Run bundle exec gem dependency nokogiri in your project directory. Or paste your Gemfile.lock into PackageFix — it shows every resolved Nokogiri version including transitive references.