CVE-2022-23476 Overview
CVE-2022-23476 is a Null Pointer Dereference vulnerability affecting Nokogiri, an open source XML and HTML library for the Ruby programming language. Nokogiri versions 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This oversight can lead to a null pointer exception when invalid markup is being parsed, potentially causing application crashes.
Critical Impact
Applications using XML::Reader to parse untrusted inputs may be vulnerable to denial of service attacks through specially crafted malicious XML markup.
Affected Products
- Nokogiri version 1.13.8 (Ruby gem)
- Nokogiri version 1.13.9 (Ruby gem)
Discovery Timeline
- 2022-12-08 - CVE CVE-2022-23476 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23476
Vulnerability Analysis
This vulnerability stems from improper error handling in Nokogiri's C extension code that interfaces with libxml2. Specifically, the Nokogiri::XML::Reader#attribute_hash method calls the native xmlTextReaderExpand function but fails to validate the return value before using it. When xmlTextReaderExpand encounters invalid or malformed XML markup, it returns NULL to indicate an error condition. Without proper null checking, the subsequent code attempts to dereference this null pointer when accessing c_node->properties, resulting in a null pointer exception that crashes the application.
This vulnerability is classified under CWE-252 (Unchecked Return Value), as the root cause is the missing validation of the function's return value before dereferencing. For applications that process untrusted XML input through the XML::Reader interface, an attacker can supply maliciously crafted XML data designed to trigger the error condition in xmlTextReaderExpand, causing denial of service.
Root Cause
The vulnerability exists because the native C code in ext/nokogiri/xml_reader.c does not validate the return value from xmlTextReaderExpand() before attempting to access the properties member of the returned node structure. When the function returns NULL due to parsing errors on malformed markup, the code proceeds to dereference the null pointer, causing the application to crash.
Attack Vector
An attacker can exploit this vulnerability by supplying specially crafted invalid XML markup to applications that use Nokogiri::XML::Reader#attributes or Nokogiri::XML::Reader#attribute_hash to parse untrusted input. The attack vector is network-based, requiring no authentication or user interaction. When the malformed XML is processed, the null pointer dereference triggers an unhandled exception, causing the Ruby process to crash and resulting in denial of service.
// Security patch from ext/nokogiri/xml_reader.c
// Source: https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
}
c_node = xmlTextReaderExpand(c_reader);
+ if (c_node == NULL) {
+ return Qnil;
+ }
+
c_property = c_node->properties;
while (c_property != NULL) {
VALUE rb_name = NOKOGIRI_STR_NEW2(c_property->name);
The patch adds a null check after the xmlTextReaderExpand call, returning Qnil (Ruby's nil) to the caller instead of proceeding with the null pointer dereference.
Detection Methods for CVE-2022-23476
Indicators of Compromise
- Unexpected Ruby process crashes or segmentation faults when processing XML input
- Application errors or exceptions originating from Nokogiri::XML::Reader#attribute_hash or Nokogiri::XML::Reader#attributes methods
- Increased crash frequency in services handling user-supplied XML data
Detection Strategies
- Audit application dependencies using bundle audit or similar Ruby gem vulnerability scanners to identify vulnerable Nokogiri versions
- Monitor application logs for segmentation faults or null pointer exceptions during XML parsing operations
- Implement application performance monitoring to detect unusual crash patterns in XML processing components
Monitoring Recommendations
- Enable crash reporting and exception tracking for Ruby applications processing XML data
- Configure alerting for repeated application restarts or process crashes
- Monitor resource utilization patterns that may indicate denial of service attempts
How to Mitigate CVE-2022-23476
Immediate Actions Required
- Upgrade Nokogiri to version 1.13.10 or later immediately
- Identify affected code by searching for calls to XML::Reader#attributes or XML::Reader#attribute_hash
- Implement input validation to reject malformed XML before processing with Nokogiri
Patch Information
Users are advised to upgrade to Nokogiri >= 1.13.10 which includes the fix for this vulnerability. The security patches are available in the following commits:
For additional details, refer to the GitHub Security Advisory GHSA-qv4q-mr5r-qprj.
Workarounds
- If immediate upgrade is not possible, implement exception handling around XML::Reader#attributes and XML::Reader#attribute_hash calls
- Add input validation to reject obviously malformed XML before passing to Nokogiri
- Consider using alternative parsing methods such as Nokogiri::XML::Document if the XML::Reader interface is not specifically required
# Upgrade Nokogiri to patched version
gem update nokogiri
# Or specify minimum version in Gemfile
echo "gem 'nokogiri', '>= 1.13.10'" >> Gemfile
bundle update nokogiri
# Verify installed version
gem list nokogiri
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
