Listen to this Post
How the CVE works (ReDoS via exponential backtracking):
The vulnerability exists in Nokogiri’s CSS selector tokenizer, which uses regular expressions to parse string literals, identifiers, and hex escapes. Under normal input, regex matching completes quickly. However, an attacker can craft a malicious CSS selector containing unterminated quoted strings or hex-escape-rich patterns that trigger catastrophic backtracking. For example, a string literal like `”\\` with many backslashes causes the regex engine to try exponential permutations of character matches before failing. Similarly, identifiers with repeated hex escapes (e.g., \00\00\00...) force exhaustive path exploration. The problematic regexes lack atomic grouping or possessive quantifiers, allowing nested quantifiers (“, +) to combine with alternation. When the input is adversarial, the matching time grows exponentially with the length of the selector. This affects methods that funnel user input into the tokenizer: Nokogiri::CSS.xpath_for, Nodecss, Nodeat_css, Searchablesearch, and CSS::Parserparse. An attacker who can supply arbitrary text to any of these methods can cause a denial-of-service (DoS) by consuming 100% CPU for seconds or minutes, effectively freezing the Ruby process.
dailycve form:
Platform: Nokogiri (Ruby)
Version: < 1.19.3
Vulnerability: ReDoS
Severity: High
date: 2025-01-15
Prediction: Patch already released
What Undercode Say:
Analytics:
Simulate exponential backtracking with a malicious selector
ruby -r nokogiri -e '
selector = "\" + "\" 100 + "x"
start = Time.now
Nokogiri::CSS.xpath_for(selector) rescue nil
puts "Time: {Time.now - start} seconds"
'
Check for vulnerable version
puts "Vulnerable!" if Gem::Version.new(Nokogiri::VERSION) < Gem::Version.new("1.19.3")
Exploit:
Attacker supplies a CSS selector like `”\\<\\\\\\` or `\00\00\00...` (repeated hex escapes) to any public method (e.g., Nodecss). The regex engine enters catastrophic backtracking, spiking CPU to 100% for exponential duration based on input length (e.g., 50 chars → 2 seconds, 100 chars → 2^50 seconds).
Protection from this CVE:
- Upgrade to Nokogiri ≥ 1.19.3.
- If upgrade impossible, set `Regexp.timeout = 0.5` (Ruby ≥ 3.2) to abort long-running regex matches.
- Avoid passing untrusted user input as CSS selectors; whitelist allowed selectors.
Impact:
- Availability: High – unauthenticated remote attacker can cause DoS via CPU exhaustion.
- Confidentiality: None – no data leak.
- Integrity: None – no data modification.
- CVSS: 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
