CVE-2022-24839

Name: CVE-2022-24839
Creator: NVD / NIST
Published: 2022-04-11T22:15:07.44+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 2.00%

Last modified Jun 17, 2026

CVE-2022-24839 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. EPSS estimates a 2.00% chance of exploitation in the next 30 days.

Description

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

2.00%

78.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions
Nekohtml Project	Nekohtml	< 1.9.22.noko2
Oracle	Weblogic Server	12.2.1.3.0
Oracle	Weblogic Server	12.2.1.4.0
Oracle	Weblogic Server	14.1.1.0.0

References

https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773dPatch
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmvVendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773dPatch
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmvVendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory

Timeline

Published: Apr 11, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24839?

How severe is CVE-2022-24839?

CVE-2022-24839 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 2.00% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24839?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24839?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST