The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Nokogiri prior to 1.7.2, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

Affected Packages

RubyGems nokogiri

Affected versions: 0 (fixed in 1.7.2)

Related CVEs

CVE-2017-5029

Key Information

GHSA ID

GHSA-pf6m-fxpq-fg8v

Published

July 31, 2018 6:21 PM

Last Modified

July 3, 2023 11:57 PM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

nokogiri

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.