GHSA-WFPW-MMFH-QQ69: GHSA-WFPW-MMFH-QQ69: Use-After-Free Vulnerability in Nokogiri XML Node-Level XInclude Processing

#security #cve #cybersecurity #ghsa

GHSA-WFPW-MMFH-QQ69: Use-After-Free Vulnerability in Nokogiri XML Node-Level XInclude Processing

Vulnerability ID: GHSA-WFPW-MMFH-QQ69
CVSS Score: 4.8
Published: 2026-06-19

Nokogiri is a popular Ruby gem used for parsing XML and HTML documents. A Use-After-Free (UAF) vulnerability exists in its CRuby implementation during XInclude processing. When an application traverses an XML document and exposes nodes to Ruby before calling do_xinclude, the underlying C library libxml2 can free these structures in-place. This leaves active Ruby objects holding pointers to freed memory, leading to potential segmentation faults, memory corruption, or information disclosure.

TL;DR

A Use-After-Free vulnerability in Nokogiri's CRuby C-extension engine allows memory corruption or application crashes when XInclude is run on previously traversed DOM structures. The issue is resolved in version 1.19.4 by performing XInclude substitutions on a defensive copy.

Technical Details

CWE ID: CWE-416
Attack Vector: Network (with local programmatic triggers)
CVSS Score: 4.8 (Medium/Low)
Impact: Memory Corruption / Denial of Service
Exploit Status: None (No public exploit)
KEV Status: Not Listed

Affected Systems

Nokogiri (CRuby implementation)
nokogiri: < 1.19.4 (Fixed in: 1.19.4)

Mitigation Strategies

Upgrade Nokogiri to version 1.19.4 or later.
Process XInclude during parse time instead of invoking do_xinclude on an already traversed DOM tree.
Switch to JRuby if feasible, as JRuby is unaffected.

Remediation Steps:

Identify all Gemfile entries referencing nokogiri and update to >= 1.19.4.
Execute bundle update nokogiri to apply the patch.
Review codebases for occurrences of do_xinclude and replace with parse-time configurations where possible.