From efe9b4330700b39bb795bf8226b54a89cdecd3a3 Mon Sep 17 00:00:00 2001
From: Wladimir Braguini Domingues <wladimir.braguini@gmail.com>
Date: Sat, 9 May 2026 19:08:45 -0300
Subject: [PATCH] chore: add 2 brand new nokogiri advisory

---
 gems/nokogiri/GHSA-c4rq-3m3g-8wgx.yml | 49 +++++++++++++++++++++++++++
 gems/nokogiri/GHSA-v2fc-qm4h-8hqv.yml | 45 ++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 gems/nokogiri/GHSA-c4rq-3m3g-8wgx.yml
 create mode 100644 gems/nokogiri/GHSA-v2fc-qm4h-8hqv.yml

diff --git a/gems/nokogiri/GHSA-c4rq-3m3g-8wgx.yml b/gems/nokogiri/GHSA-c4rq-3m3g-8wgx.yml
new file mode 100644
index 0000000000..918034b821
--- /dev/null
+++ b/gems/nokogiri/GHSA-c4rq-3m3g-8wgx.yml
@@ -0,0 +1,49 @@
+---
+gem: nokogiri
+ghsa: c4rq-3m3g-8wgx
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
+title: Nokogiri CSS selector tokenizer has regular expression backtracking
+date: 2026-05-06
+description: |
+  ## Summary
+
+  Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:
+
+  1. String-literal tokenization on certain unterminated quoted-string input.
+  2. String-literal tokenization on a separate class of hex-escape-rich input.
+  3. Identifier tokenization on hex-escape-rich input.
+
+  The public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.
+
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= 1.19.3`.
+
+  If users are unable to upgrade, two options are available:
+
+  - Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.
+  - Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.
+
+  ## Severity
+
+  The Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).
+
+  An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.
+
+
+  ## Resources
+
+  - [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)
+
+
+  ## Credit
+
+  Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.19.3"
+related:
+  url:
+    - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
+    - https://github.com/advisories/GHSA-c4rq-3m3g-8wgx
diff --git a/gems/nokogiri/GHSA-v2fc-qm4h-8hqv.yml b/gems/nokogiri/GHSA-v2fc-qm4h-8hqv.yml
new file mode 100644
index 0000000000..b632d6bcfd
--- /dev/null
+++ b/gems/nokogiri/GHSA-v2fc-qm4h-8hqv.yml
@@ -0,0 +1,45 @@
+---
+gem: nokogiri
+ghsa: v2fc-qm4h-8hqv
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
+title: Nokogiri XSLT transform has a memory leak
+date: 2026-05-06
+description: |
+  ## Summary
+
+  Nokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.
+
+  For applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.
+
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= 1.19.3`.
+
+  Users may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.
+
+
+  ## Severity
+
+  The Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.
+
+  Each leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.
+
+  Applications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.
+
+
+  ## Resources
+
+  - [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)
+
+
+  ## Credit
+
+  This vulnerability was responsibly reported by @Captainjack-kor.
+cvss_v3: 5.3
+patched_versions:
+  - ">= 1.19.3"
+related:
+  url:
+    - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
+    - https://github.com/advisories/GHSA-v2fc-qm4h-8hqv