CGA-q6w6-h4w6-mg3r

Published

Last updated

https://images.chainguard.dev/security/CGA-q6w6-h4w6-mg3r

Package

gitlab-rails-ee-17.4

Repository

Chainguard

Latest Update

Under investigation

Aliases

GHSA-5mwf-688x-mr7x

Summary

Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-q6w6-h4w6-mg3r

Summary

Description

Duplicate Advisory

Original Description

Summary

Impact

CVE-2025-24928

CVE-2024-56171

References

Updates

Products

Why Chainguard

Customers

Company

Resources