Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29181.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-241"
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.13.6"
}
],
"cpe": "cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*"
}"2026-07-15T01:35:13Z"
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29181.json"
[
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 311.0,
"function_hash": "339774057150225604830925007899139441664"
},
"deprecated": false,
"id": "CVE-2022-29181-08218874",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_io"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 440.0,
"function_hash": "156700175685575345307480125041260173150"
},
"deprecated": false,
"id": "CVE-2022-29181-1630bc76",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_memory"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 311.0,
"function_hash": "339774057150225604830925007899139441664"
},
"deprecated": false,
"id": "CVE-2022-29181-1e36b4c7",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_io"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"32660667544791835419492192119628462419",
"107509837605578032575666489903065846394",
"82339482050122467544479565850719152695",
"35316597750796945202672617103511275162",
"64023981287457464679046336078146686527",
"70256715334098376590202143321581670244",
"307505881030890224483924028945227594477",
"153908013770662347021857042754056368166",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796",
"285155501316326881376048425303443337705",
"322197686736064847564962717883962289003"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-1f19053f",
"signature_type": "Line",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 251.0,
"function_hash": "212191781225457695491386033688224906340"
},
"deprecated": false,
"id": "CVE-2022-29181-22439742",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java",
"function": "parse_io"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 915.0,
"function_hash": "176127679834381012146427679809076348549"
},
"deprecated": false,
"id": "CVE-2022-29181-28f6af2a",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "noko_init_xml_sax_parser_context"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 915.0,
"function_hash": "176127679834381012146427679809076348549"
},
"deprecated": false,
"id": "CVE-2022-29181-29f6d5f5",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "noko_init_xml_sax_parser_context"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 356.0,
"function_hash": "294968138415222748329321953319310436323"
},
"deprecated": false,
"id": "CVE-2022-29181-347206fc",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_io"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 715.0,
"function_hash": "127238979648815204612396819651147529331"
},
"deprecated": false,
"id": "CVE-2022-29181-3ae0d8a8",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c",
"function": "parse_memory"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"line_hashes": [
"301974088387910415895165297468897494853",
"262078244075390359928913097953673686959",
"332161118915953394321811625135653679747",
"37485012236067294588749722995528365636",
"235067727987673492805409627799828865989"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-3b25b21e",
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 297.0,
"function_hash": "267902176412199800154903533136942249800"
},
"deprecated": false,
"id": "CVE-2022-29181-4e57f768",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_file"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"line_hashes": [
"251130477431979476662424461810691582938",
"34541768503110933539975464747105694011",
"272126993558759473010658636557092160129",
"247119134650593912805485105462029812584",
"200848791623806623448935133558450604572",
"269585636492925187769830241646393940632",
"130546992641210218792316502141335517451"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-5058400a",
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"line_hashes": [
"228948493316227740900978492420613898378",
"297369657864748533146341721710689031079",
"100207569160225581353473082597370343087",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-56889168",
"signature_type": "Line",
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"228948493316227740900978492420613898378",
"297369657864748533146341721710689031079",
"100207569160225581353473082597370343087",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-5742102c",
"signature_type": "Line",
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 262.0,
"function_hash": "205531008590026051851218986025663118423"
},
"deprecated": false,
"id": "CVE-2022-29181-5e3cf5a8",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java",
"function": "setIOInputSource"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"301974088387910415895165297468897494853",
"262078244075390359928913097953673686959",
"332161118915953394321811625135653679747",
"37485012236067294588749722995528365636",
"235067727987673492805409627799828865989"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-8565521e",
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"339844541191640777103824805018317601737",
"201412992390040745034561854691694232729",
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"33723629034192463124448976271557698700",
"279827863847969284732147331499160204438"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-91597b4f",
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 440.0,
"function_hash": "156700175685575345307480125041260173150"
},
"deprecated": false,
"id": "CVE-2022-29181-a4320415",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_memory"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 356.0,
"function_hash": "294968138415222748329321953319310436323"
},
"deprecated": false,
"id": "CVE-2022-29181-adbe964b",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_io"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 715.0,
"function_hash": "127238979648815204612396819651147529331"
},
"deprecated": false,
"id": "CVE-2022-29181-b0040838",
"signature_type": "Function",
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c",
"function": "parse_memory"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"line_hashes": [
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"339844541191640777103824805018317601737",
"201412992390040745034561854691694232729",
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"33723629034192463124448976271557698700",
"279827863847969284732147331499160204438"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-b22c5a79",
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"251130477431979476662424461810691582938",
"34541768503110933539975464747105694011",
"272126993558759473010658636557092160129",
"247119134650593912805485105462029812584",
"200848791623806623448935133558450604572",
"269585636492925187769830241646393940632",
"130546992641210218792316502141335517451"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-b3184692",
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 297.0,
"function_hash": "267902176412199800154903533136942249800"
},
"deprecated": false,
"id": "CVE-2022-29181-b9900a3e",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_file"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"length": 262.0,
"function_hash": "205531008590026051851218986025663118423"
},
"deprecated": false,
"id": "CVE-2022-29181-d37b0a02",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java",
"function": "setIOInputSource"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"signature_version": "v1",
"digest": {
"length": 251.0,
"function_hash": "212191781225457695491386033688224906340"
},
"deprecated": false,
"id": "CVE-2022-29181-dcda49d2",
"signature_type": "Function",
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java",
"function": "parse_io"
}
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"signature_version": "v1",
"digest": {
"line_hashes": [
"32660667544791835419492192119628462419",
"107509837605578032575666489903065846394",
"82339482050122467544479565850719152695",
"35316597750796945202672617103511275162",
"64023981287457464679046336078146686527",
"70256715334098376590202143321581670244",
"307505881030890224483924028945227594477",
"153908013770662347021857042754056368166",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796",
"285155501316326881376048425303443337705",
"322197686736064847564962717883962289003"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-29181-e7a9b689",
"signature_type": "Line",
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c"
}
}
]