CVE-2022-29181: 
Ruby vulnerability analysis and mitigation

Nokogiri prior to version 1.13.6 contained a vulnerability (CVE-2022-29181) that does not type-check all inputs into the XML and HTML4 SAX parsers. The vulnerability was discovered in May 2022 and affects the open-source XML and HTML library for Ruby. This security issue allows specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory (NVD, GitHub Advisory).

The vulnerability stems from type confusion issues in both xml_sax_parser_context.c and html4_sax_parser_context.c files. The parse_memory function fails to verify that the input data is a Ruby string before processing, allowing attackers to pass non-string objects that could cause memory access violations. The issue has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H (GitHub Lab).

For CRuby users, this vulnerability could lead to denial of service (DoS) through application crashes or potential information disclosure through memory leaks. If Nokogiri is being used in a way that reflects parsing results to the attacker, the vulnerability could be exploited to leak arbitrary Ruby strings containing sensitive information by guessing valid memory addresses (GitHub Lab).

Users should upgrade to Nokogiri version 1.13.6 or later which contains a patch for this vulnerability. As a temporary workaround, users can ensure untrusted input is converted to a String by calling #to_s or equivalent before passing it to the parser (GitHub Advisory).