GHSA-PHWJ-RPRQ-35PP: Use-After-Free Vulnerability in Nokogiri XML Attribute Value Modification
Vulnerability ID: GHSA-PHWJ-RPRQ-35PP
CVSS Score: 2.3
Published: 2026-06-19
A use-after-free (UAF) vulnerability exists in the CRuby native extension of the Nokogiri gem when updating XML attribute values. If child nodes of an XML attribute are wrapped by Ruby objects prior to setting the attribute's value, the underlying C memory structures are freed while the Ruby wrapper retains a dangling pointer. This results in memory corruption, invalid pointer dereferences, and application crashes during execution or garbage collection.
TL;DR
A use-after-free vulnerability in the Nokogiri gem's CRuby extension allows remote attackers to trigger process crashes or memory corruption when updating XML attribute values.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-416
- Vulnerability Class: Use-After-Free (UAF)
- CVSS Score: 2.3 (Low)
- Attack Vector: Network
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
- Patched Version: 1.19.4
Affected Systems
- Nokogiri (CRuby implementations)
-
Nokogiri: < 1.19.4 (Fixed in:
1.19.4)
Code Analysis
Commit: 6326471
Ensure attribute child nodes with active Ruby wrappers are unlinked and pinned rather than freed during attribute mutation.
Exploit Details
- GitHub Security Advisory: Vulnerability announcement containing reproduction methodology and code verification.
Mitigation Strategies
- Upgrade Nokogiri to version 1.19.4 or higher.
- Avoid accessing internal child nodes of XML attributes directly before mutating their values.
Remediation Steps:
- Modify Gemfile to enforce a minimum Nokogiri version of 1.19.4.
- Run 'bundle update nokogiri' to apply the patch.
- Verify dependencies and ensure no legacy transitively-locked versions of Nokogiri exist in the lockfile.
References
Read the full report for GHSA-PHWJ-RPRQ-35PP on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)