Updated advisory posts against rubysec/ruby-advisory-db@0f5ad81

Author: wlads

advisories/_posts/2026-03-29-GHSA-53p3-c7vp-4mcc.md

@@ -0,0 +1,52 @@
+---
+layout: advisory
+title: 'GHSA-53p3-c7vp-4mcc (action_text-trix): Trix is vulnerable to XSS through
+  JSON deserialization bypass in drag-and-drop (Level0InputController)'
+comments: false
+categories:
+- action_text-trix
+advisory:
+  gem: action_text-trix
+  ghsa: 53p3-c7vp-4mcc
+  url: https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc
+  title: Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop
+    (Level0InputController)
+  date: 2026-03-29
+  description: |
+    ### Impact
+
+    The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS
+    when a crafted `application/x-trix-document` JSON payload is dropped
+    into the editor in environments using the fallback Level0InputController
+    (e.g., embedded WebViews lacking Input Events Level 2 support).
+
+    The `StringPiece.fromJSON` method trusted `href` attributes from the
+    JSON payload without sanitization. An attacker could craft a draggable
+    element containing a `javascript:` URI in the href attribute that,
+    when dropped into a vulnerable editor, would bypass DOMPurify
+    sanitization and inject executable JavaScript into the DOM.
+
+    Exploitation requires a specific environment (Level0InputController
+    fallback) and social engineering (victim must drag and drop
+    attacker-controlled content into the editor). Applications using
+    server-side HTML sanitization (such as Rails' built-in sanitizer)
+    are additionally protected, as the payload is neutralized on save.
+
+    ### Patches
+
+    Update Recommendation: Users should upgrade to Trix editor
+    version 2.1.18 or later.
+
+    ### References
+
+    The XSS vulnerability was responsibly reported by Hackerone
+    researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
+  patched_versions:
+  - ">= 2.1.18"
+  related:
+    url:
+    - https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc
+    - https://github.com/basecamp/trix/releases/tag/v2.1.18
+    - https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c
+    - https://github.com/advisories/GHSA-53p3-c7vp-4mcc
+---

advisories/_posts/2026-05-06-GHSA-c4rq-3m3g-8wgx.md

@@ -0,0 +1,57 @@
+---
+layout: advisory
+title: 'GHSA-c4rq-3m3g-8wgx (nokogiri): Nokogiri CSS selector tokenizer has regular
+  expression backtracking'
+comments: false
+categories:
+- nokogiri
+advisory:
+  gem: nokogiri
+  ghsa: c4rq-3m3g-8wgx
+  url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
+  title: Nokogiri CSS selector tokenizer has regular expression backtracking
+  date: 2026-05-06
+  description: |
+    ## Summary
+
+    Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:
+
+    1. String-literal tokenization on certain unterminated quoted-string input.
+    2. String-literal tokenization on a separate class of hex-escape-rich input.
+    3. Identifier tokenization on hex-escape-rich input.
+
+    The public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.
+
+
+    ## Mitigation
+
+    Upgrade to Nokogiri `>= 1.19.3`.
+
+    If users are unable to upgrade, two options are available:
+
+    - Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.
+    - Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.
+
+    ## Severity
+
+    The Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).
+
+    An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.
+
+
+    ## Resources
+
+    - [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)
+
+
+    ## Credit
+
+    Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.
+  cvss_v3: 7.5
+  patched_versions:
+  - ">= 1.19.3"
+  related:
+    url:
+    - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
+    - https://github.com/advisories/GHSA-c4rq-3m3g-8wgx
+---

advisories/_posts/2026-05-06-GHSA-v2fc-qm4h-8hqv.md

@@ -0,0 +1,52 @@
+---
+layout: advisory
+title: 'GHSA-v2fc-qm4h-8hqv (nokogiri): Nokogiri XSLT transform has a memory leak'
+comments: false
+categories:
+- nokogiri
+advisory:
+  gem: nokogiri
+  ghsa: v2fc-qm4h-8hqv
+  url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
+  title: Nokogiri XSLT transform has a memory leak
+  date: 2026-05-06
+  description: |
+    ## Summary
+
+    Nokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.
+
+    For applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.
+
+
+    ## Mitigation
+
+    Upgrade to Nokogiri `>= 1.19.3`.
+
+    Users may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.
+
+
+    ## Severity
+
+    The Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.
+
+    Each leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.
+
+    Applications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.
+
+
+    ## Resources
+
+    - [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)
+
+
+    ## Credit
+
+    This vulnerability was responsibly reported by @Captainjack-kor.
+  cvss_v3: 5.3
+  patched_versions:
+  - ">= 1.19.3"
+  related:
+    url:
+    - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
+    - https://github.com/advisories/GHSA-v2fc-qm4h-8hqv
+---