CVE-2025-6490
Published: June 25, 2025Last modified: July 5, 2025
Description
A vulnerability was found in sparklemotion nokogiri up to 1.18.7 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.3 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | LOW |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | ruby-nokogiri | Unknown (1.13.9-r1) |
| Stream | ruby-nokogiri | Unknown (1.13.9-r1) |
References
- https://github.com/sparklemotion/nokogiri/commit/ada4708e5a67114402cd3feb70a4e1d1d7cf773a
- https://github.com/sparklemotion/nokogiri/issues/3500
- https://github.com/sparklemotion/nokogiri/pull/3524
- https://github.com/user-attachments/files/19625432/nokogiri_crash.txt
- https://vuldb.com/?ctiid.313601
- https://vuldb.com/?id.313601
- https://vuldb.com/?submit.601005