CGA-v526-3hr8-272x

Published

Last updated

https://images.chainguard.dev/security/CGA-v526-3hr8-272x

Package

gitlab-rails-ee-17.2

Repository

Chainguard

Latest Update

Under investigation

Aliases

GHSA-vvfq-8hwr-qm4m

Summary

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-v526-3hr8-272x

Summary

Description

Summary

Impact

CVE-2025-24928

CVE-2024-56171

References

Updates

Products

Why Chainguard

Customers

Company

Resources