Skip to content

[GHSA-jc9r-qcgw-fxq9] A vulnerability was found in sparklemotion nokogiri up to... #5778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 30, 2025
Merged

[GHSA-jc9r-qcgw-fxq9] A vulnerability was found in sparklemotion nokogiri up to... #5778

merged 1 commit into from
Jun 30, 2025
+20 −11

Conversation

flavorjones
Copy link

Updates

  • Affected products
  • CVSS v3
  • CVSS v4
  • Description
  • Severity
  • Summary

Comments
I'm the maintainer and have officially disputed this CVE with the CNA, VulDB. They have updated the description to note the dispute and provide additional information. I've proposed adopting the updated description.

@Copilot Copilot AI review requested due to automatic review settings June 30, 2025 19:25
@github-actions github-actions bot changed the base branch from main to flavorjones/advisory-improvement-5778 June 30, 2025 19:26
Copilot
Copilot AI reviewed Jun 30, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the advisory metadata for GHSA-jc9r-qcgw-fxq9 to adopt a disputed description, refine affected version ranges, and adjust severity.

  • Added a summary field and replaced details with a revised description noting the dispute and patch commit.
  • Populated the affected section with package ecosystem and an introduced version range.
  • Removed the old severity field and changed the final severity rating from “MODERATE” to “LOW”; updated the modified timestamp.
Comments suppressed due to low confidence (1)

advisories/unreviewed/2025/06/GHSA-jc9r-qcgw-fxq9/GHSA-jc9r-qcgw-fxq9.json:23

  • The version range only specifies an 'introduced' event without a corresponding 'fixed' event. It's best practice to include a 'fixed' version or commit SHA to clearly indicate when the vulnerability was resolved.
              "introduced": "0"

advisories/unreviewed/2025/06/GHSA-jc9r-qcgw-fxq9/GHSA-jc9r-qcgw-fxq9.json
"severity": [
"summary": "sparklemotion nokogiri hashmap.c hashmap_get_with_hash heap-based overflow",
"details": "A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.\n\n",
"severity": [],
Copy link
Preview

Copilot AI Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two 'severity' fields in this JSON (an empty array here and a string at the bottom), which can cause ambiguity. Consider removing the unused array to keep the metadata consistent.

Suggested change
"severity": [],

Copilot uses AI. Check for mistakes.

advisories/unreviewed/2025/06/GHSA-jc9r-qcgw-fxq9/GHSA-jc9r-qcgw-fxq9.json
"details": "A vulnerability was found in sparklemotion nokogiri up to 1.18.7. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.",
"severity": [
"summary": "sparklemotion nokogiri hashmap.c hashmap_get_with_hash heap-based overflow",
"details": "A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.\n\n",
Copy link
Preview

Copilot AI Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The phrase 'An attack has to be approached locally' is unclear. Consider rephrasing to something like 'Exploitation requires local access' to improve readability.

Suggested change
"details": "A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.\n\n",
"details": "A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. Exploitation requires local access. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.\n\n",

Copilot uses AI. Check for mistakes.

@advisory-database advisory-database bot merged commit aedcef5 into flavorjones/advisory-improvement-5778 Jun 30, 2025
4 checks passed
@advisory-database
Copy link
Contributor

Hi @flavorjones! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the flavorjones-GHSA-jc9r-qcgw-fxq9 branch June 30, 2025 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@flavorjones