Listen to this Post
Nokogiri is a popular Ruby gem for parsing HTML and XML. A vulnerability exists in its CRuby native extension that can lead to a NULL pointer dereference. The issue stems from how the library handles certain native wrapper classes that inherit from Nokogiri::XML::Node. When an application calls the `.allocate` method directly on such a class, it creates an uninitialized Ruby object without the underlying native data structure. Subsequently invoking any method on this allocated-but-uninitialized object triggers a NULL pointer dereference because the native extension attempts to access the missing data pointer. This results in a process crash (segfault).
The vulnerability is not exploitable via untrusted input or through normal use of Nokogiri’s public API. It can only be triggered by a programming error where code explicitly calls `.allocate` on a native-backed class and then uses the resulting object. Nokogiri 1.19.4 addresses this by adding a check for missing native data pointers and raising a `RuntimeError` instead of crashing. JRuby is not affected as it does not use the CRuby native extension. The issue was reported by Zheng Yu from depthfirst.com.
DailyCVE Form
Platform: ……. CRuby (MRI)
Version: …….. < 1.19.4
Vulnerability :.. NULL Pointer Dereference
Severity: ……. Low
date: ……….. 2026-06-18
Prediction: ….. 2026-06-18 (Patched)
What Undercode Say
The vulnerability is triggered by a programming error, not by untrusted input. It is a low-severity issue that has been fixed in version 1.19.4.
Analytics
The following command can be used to check the installed Nokogiri version:
gem list nokogiri
To identify if your application uses the vulnerable pattern, search for `.allocate` calls on Nokogiri classes:
grep -r ".allocate" --include=".rb" .
A vulnerable code example is:
node = Nokogiri::XML::Node.allocate node.name => triggers NULL pointer dereference in versions < 1.19.4
The fix in Nokogiri 1.19.4 raises an exception:
node = Nokogiri::XML::Node.allocate node.name => RuntimeError: Nokogiri::XML::Node is not properly initialized
Exploit
An attacker cannot directly exploit this vulnerability remotely. Exploitation requires a local programming error where an application uses `.allocate` incorrectly. For example:
Vulnerable code doc = Nokogiri::XML::Document.allocate doc.root => crashes the process in Nokogiri < 1.19.4
This could be used in a denial-of-service scenario if an application exposes functionality that allows a user to trigger such a programming error, but this is not a typical attack vector.
Protection
The primary mitigation is to upgrade to Nokogiri 1.19.4 or later. As a workaround, avoid calling `.allocate` directly on Nokogiri native-backed classes and use the documented constructors and factory methods instead. For example, use `Nokogiri::XML::Node.new(‘name’, doc)` instead of Nokogiri::XML::Node.allocate.
Impact
The impact is limited to a denial of service (application crash) via a NULL pointer dereference. The vulnerability is of low severity and requires a programming error to be triggered. It does not allow for remote code execution or data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
