CVE-2022-24839 Overview
CVE-2022-24839 is a Denial of Service vulnerability in org.cyberneko.html, an HTML parser written in Java. The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. This vulnerability affects applications that rely on the NekoHTML parser for processing untrusted HTML content, potentially allowing remote attackers to exhaust server memory resources with specially crafted malicious input.
Critical Impact
Remote attackers can cause application denial of service by sending malformed HTML markup that triggers memory exhaustion, leading to java.lang.OutOfMemoryError exceptions and potential service disruption.
Affected Products
- NekoHTML Project NekoHTML (versions prior to 1.9.22.noko2)
- Oracle WebLogic Server 12.2.1.3.0
- Oracle WebLogic Server 12.2.1.4.0
- Oracle WebLogic Server 14.1.1.0.0
Discovery Timeline
- April 11, 2022 - CVE-2022-24839 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-24839
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a resource exhaustion vulnerability that manifests when the NekoHTML parser processes malformed HTML content. The flaw resides in the HTMLScanner.java component, specifically in the processing instruction (PI) parsing logic.
When the parser encounters ill-formed processing instructions in HTML markup, it can enter a state where it fails to properly terminate parsing, leading to unbounded memory allocation. The vulnerability is remotely exploitable without authentication, requiring no user interaction to trigger.
The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at the Sparklemotion NekoHTML repository, and this CVE applies only to that fork. Other forks of NekoHTML may have a similar vulnerability.
Root Cause
The root cause lies in the HTMLScanner.java file where processing instruction parsing fails to account for end-of-file (-1) conditions when checking for termination characters. When parsing ill-formed PIs, the scanner only checked for the > character to break out of the parsing loop. If the input stream ended unexpectedly (returning -1), the parser would continue attempting to process input, leading to memory exhaustion.
Attack Vector
The attack vector is network-based, allowing remote unauthenticated attackers to exploit this vulnerability. An attacker can craft malicious HTML content with ill-formed processing instructions and submit it to any application using the vulnerable NekoHTML parser. When the application attempts to parse this malformed input, the parser enters an infinite loop or unbounded allocation state, consuming available memory until a java.lang.OutOfMemoryError is thrown.
This vulnerability is particularly dangerous in web applications that accept user-supplied HTML content for sanitization, rendering, or transformation purposes.
// Security patch from HTMLScanner.java
// Source: https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
if (c == '?' || c == '/') {
char c0 = (char)c;
c = fCurrentEntity.read();
- if (c == '>') {
+ if (c == '>' || c == -1) {
break;
}
fStringBuffer.append(c0);
The patch adds a check for -1 (end-of-file) in addition to the > character, ensuring the parser properly terminates when encountering malformed input that ends unexpectedly.
Detection Methods for CVE-2022-24839
Indicators of Compromise
- Unusual spikes in JVM heap memory usage in applications using NekoHTML
- Frequent java.lang.OutOfMemoryError exceptions in application logs
- HTTP requests containing malformed HTML with unusual processing instruction syntax
- Increased garbage collection activity followed by memory exhaustion
Detection Strategies
- Monitor application logs for OutOfMemoryError exceptions originating from org.cyberneko.html.HTMLScanner classes
- Implement resource monitoring to detect abnormal memory consumption patterns during HTML parsing operations
- Deploy web application firewalls (WAF) with rules to detect and block malformed HTML content patterns
- Use dependency scanning tools to identify vulnerable versions of NekoHTML in your application dependencies
Monitoring Recommendations
- Configure JVM memory alerts to trigger when heap usage exceeds normal operational thresholds
- Implement request timeout policies for HTML parsing operations to prevent long-running parse operations
- Log and analyze incoming HTML content patterns that trigger parsing errors
- Monitor application availability and response times for services that process HTML content
How to Mitigate CVE-2022-24839
Immediate Actions Required
- Upgrade to NekoHTML version 1.9.22.noko2 or later immediately
- Review and update Oracle WebLogic Server installations to patched versions per the Oracle Security Alert July 2022
- Implement input size limits for HTML content submitted to applications
- Configure JVM memory limits and enable automatic restart on OutOfMemoryError conditions
Patch Information
The vulnerability has been addressed in NekoHTML version 1.9.22.noko2 and later. Users of Nokogiri should update their dependencies to pull in the patched NekoHTML fork. The security fix is documented in the GitHub Security Advisory GHSA-9849.
For Oracle WebLogic Server deployments, apply the patches referenced in the Oracle Security Alert July 2022. Affected versions include 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
Workarounds
- Implement input validation to reject HTML content exceeding reasonable size thresholds before parsing
- Configure resource limits (memory, CPU time) for HTML parsing operations at the application or container level
- Deploy a reverse proxy or WAF to inspect and filter potentially malicious HTML content
- Consider using alternative HTML parsing libraries if immediate patching is not feasible
# Configuration example - Maven dependency update
# Update your pom.xml to use the patched version:
# <dependency>
# <groupId>org.nokogiri</groupId>
# <artifactId>nekohtml</artifactId>
# <version>1.9.22.noko2</version>
# </dependency>
# For Bundler (Ruby/Nokogiri), update Gemfile:
# gem 'nokogiri', '>= 1.13.4'
# Verify installed version
bundle show nokogiri
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
