GHSA-c4rq-3m3g-8wgx: Nokogiri CSS selector tokenizer has regular expression backtracking

May 6, 2026

Nokogiri’s CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:

String-literal tokenization on certain unterminated quoted-string input.
String-literal tokenization on a separate class of hex-escape-rich input.
Identifier tokenization on hex-escape-rich input.

The public CSS selector methods that funnel through the affected tokenizer are Nokogiri::CSS.xpath_for, Node#css, Node#at_css, Searchable#search, and CSS::Parser#parse.

References

github.com/advisories/GHSA-c4rq-3m3g-8wgx
github.com/sparklemotion/nokogiri
github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx

Code Behaviors & Features

Detect and mitigate GHSA-c4rq-3m3g-8wgx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →