Denial of Service via heap use-after-free
Summary
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4. This vulnerability occurs due to insufficient validation when setting the document's root element, allowing a malicious document to trigger a memory error. This can lead to a heap use-after-free, potentially causing the application to crash and resulting in a Denial of Service (DoS). This could lead to application crashes and impact the availability of services that process untrusted XML or HTML content using Nokogiri. This is only triggered by a programming error. Red Hat ships Nokogiri as a dependency in several products including Red Hat 3scale API Management Platform, Red Hat Satellite, and Red Hat Enterprise Linux buildroot packages. All affected product versions ship Nokogiri prior to the 1.19.4 fix. This memory-safety issue affects only the CRuby implementation (libxml2). The JRuby implementation was not affected; the same input validation was added there for behavioral parity. Red Hat severity: Low — CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
- < 1.19.4
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, applications that use Nokogiri to process untrusted XML or HTML documents should implement robust input validation and operate within a sandboxed environment. Restricting the application's ability to process arbitrary external content can reduce the risk of triggering the heap use-after-free vulnerability and prevent a denial of service.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.