{"id":"GHSA-c4rq-3m3g-8wgx","summary":"Nokogiri CSS selector tokenizer has regular expression backtracking","details":"## Summary\n\nNokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:\n\n1. String-literal tokenization on certain unterminated quoted-string input.\n2. String-literal tokenization on a separate class of hex-escape-rich input.\n3. Identifier tokenization on hex-escape-rich input.\n\nThe public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.19.3`.\n\nIf users are unable to upgrade, two options are available:\n\n- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.\n- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).\n\nAn attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.\n\n\n## Resources\n\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n\n\n## Credit\n\nVector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.","modified":"2026-05-09T10:44:28.215577764Z","published":"2026-05-06T18:24:18Z","related":["CGA-h579-46gh-f4hg"],"database_specific":{"severity":"HIGH","github_reviewed_at":"2026-05-06T18:24:18Z","cwe_ids":["CWE-1333"],"nvd_published_at":null,"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx"},{"type":"PACKAGE","url":"https://github.com/sparklemotion/nokogiri"}],"affected":[{"package":{"name":"nokogiri","ecosystem":"RubyGems","purl":"pkg:gem/nokogiri"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.19.3"}]}],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.1","1.10.0","1.10.0.rc1","1.10.1","1.10.10","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10.8","1.10.9","1.11.0","1.11.0.rc1","1.11.0.rc2","1.11.0.rc3","1.11.0.rc4","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.12.0","1.12.0.rc1","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.13.0","1.13.1","1.13.10","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.13.7","1.13.8","1.13.9","1.14.0","1.14.0.rc1","1.14.1","1.14.2","1.14.3","1.14.4","1.14.5","1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.15.5","1.15.6","1.15.7","1.16.0","1.16.0.rc1","1.16.1","1.16.2","1.16.3","1.16.4","1.16.5","1.16.6","1.16.7","1.16.8","1.17.0","1.17.1","1.17.2","1.18.0","1.18.0.rc1","1.18.1","1.18.10","1.18.2","1.18.3","1.18.4","1.18.5","1.18.6","1.18.7","1.18.8","1.18.9","1.19.0","1.19.1","1.19.2","1.2.0","1.2.1","1.2.2","1.2.3","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.2","1.4.2.1","1.4.3","1.4.3.1","1.4.4","1.4.4.1","1.4.4.2","1.4.5","1.4.6","1.4.7","1.5.0","1.5.0.beta.1","1.5.0.beta.2","1.5.0.beta.3","1.5.0.beta.4","1.5.1","1.5.1.rc1","1.5.10","1.5.11","1.5.2","1.5.3","1.5.3.rc2","1.5.3.rc3","1.5.3.rc4","1.5.3.rc5","1.5.3.rc6","1.5.4","1.5.4.rc1","1.5.4.rc2","1.5.4.rc3","1.5.5","1.5.5.rc1","1.5.5.rc2","1.5.5.rc3","1.5.6","1.5.6.rc1","1.5.6.rc2","1.5.6.rc3","1.5.7","1.5.7.rc1","1.5.7.rc2","1.5.7.rc3","1.5.8","1.5.9","1.6.0","1.6.0.rc1","1.6.1","1.6.2","1.6.2.1","1.6.2.rc1","1.6.2.rc2","1.6.2.rc3","1.6.3","1.6.3.1","1.6.3.rc1","1.6.3.rc2","1.6.3.rc3","1.6.4","1.6.4.1","1.6.5","1.6.6.1","1.6.6.2","1.6.6.3","1.6.6.4","1.6.7","1.6.7.1","1.6.7.2","1.6.7.rc2","1.6.7.rc3","1.6.7.rc4","1.6.8","1.6.8.1","1.6.8.rc1","1.6.8.rc2","1.6.8.rc3","1.7.0","1.7.0.1","1.7.1","1.7.2","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.9.0","1.9.0.rc1","1.9.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c4rq-3m3g-8wgx/GHSA-c4rq-3m3g-8wgx.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}