CVE-2019-5477

Name: CVE-2019-5477
Creator: NVD / NIST
Published: 2019-08-16T16:15:10.637+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 5.90%

Last modified Jun 17, 2026

CVE-2019-5477 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. EPSS estimates a 5.90% chance of exploitation in the next 30 days.

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

5.90%

92.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nokogiri	Nokogiri	<= 1.10.3
Canonical	Ubuntu Linux	16.04
Canonical	Ubuntu Linux	18.04
Canonical	Ubuntu Linux	19.04
Canonical	Ubuntu Linux	19.10
Debian	Debian Linux	8.0
Debian	Debian Linux	10.0

References

https://github.com/sparklemotion/nokogiri/issues/1915Patch, Third Party Advisory
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdocRelease Notes
https://hackerone.com/reports/650835Permissions Required
https://lists.debian.org/debian-lts-announce/2019/09/msg00027.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00019.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202006-05Third Party Advisory
https://usn.ubuntu.com/4175-1/Third Party Advisory
https://github.com/sparklemotion/nokogiri/issues/1915Patch, Third Party Advisory
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdocRelease Notes
https://hackerone.com/reports/650835Permissions Required
https://lists.debian.org/debian-lts-announce/2019/09/msg00027.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00019.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202006-05Third Party Advisory
https://usn.ubuntu.com/4175-1/Third Party Advisory

Timeline

Published: Aug 16, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-5477?

How severe is CVE-2019-5477?

CVE-2019-5477 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 5.90% probability of exploitation in the next 30 days.

How do I fix CVE-2019-5477?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-5477?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST