Listen to this Post
How the Vulnerability Works
Nokogiri is a Ruby gem for parsing HTML, XML, SAX, and Reader documents using a C extension that wraps libxml2. The `Nokogiri::XML::Documentroot=` method allows the document root to be replaced with a new node. Prior to version 1.19.4, this method performed validation only to confirm that the new root was a `Nokogiri::XML::Node` object. This check was insufficient because the `Node` class hierarchy includes many subtypes, including `DTD` nodes, which represent document type definitions.
When a DTD node is assigned as the document root via Documentroot=, the underlying libxml2 document structure becomes invalid. The DTD node does not belong in the root position, and the internal memory layout expected by libxml2 is corrupted. During garbage collection or finalization of the Ruby object, the Nokogiri wrapper attempts to free the underlying libxml2 structures. Because the document root is now a DTD node instead of an element node, the memory deallocation routines follow incorrect code paths, leading to a heap use-after-free condition.
A use-after-free occurs when memory is accessed after it has been freed. In this case, the garbage collector frees memory that is still referenced elsewhere, or conversely, attempts to free memory that has already been released. This results in an invalid memory read, which can cause a segmentation fault (segfault) and crash the Ruby process.
This memory-safety issue affects only the CRuby implementation because it relies on the libxml2 C library. The JRuby implementation, which uses a different XML parser, was not affected, though the same input validation was added for behavioral parity.
The vulnerability is not exploitable by untrusted input or through normal use of the public API. It can only be triggered by a programming error — specifically, when application code explicitly assigns a non-element node such as a DTD as the document root via Documentroot=. Nokogiri 1.19.4 restricts `Documentroot=` to element nodes and raises a `TypeError` for any other node type, preventing the unsafe assignment.
DailyCVE Form
Platform: CRuby (Nokogiri)
Version: < 1.19.4
Vulnerability: Use-After-Free
Severity: Low
Date: 2026-06-18
Prediction: Already Patched
What Undercode Say
Check your Nokogiri version:
gem list nokogiri
Upgrade to the patched version:
gem update nokogiri
Or specify the version in your Gemfile:
gem 'nokogiri', '>= 1.19.4'
Then run:
bundle update nokogiri
Verify the upgrade:
ruby -r nokogiri -e "puts Nokogiri::VERSION"
Exploit
The vulnerability can be triggered by the following code, which assigns a DTD node as the document root:
require 'nokogiri' doc = Nokogiri::XML::Document.new dtd = Nokogiri::XML::DTD.new(doc, 'root', 'public', 'system') doc.root = dtd Unsafe assignment in versions < 1.19.4
In affected versions, this assignment succeeds, corrupting the internal document structure. When the document is garbage-collected, a use-after-free occurs, potentially causing a segfault.
In Nokogiri 1.19.4 and later, the same code raises:
TypeError: root must be an Element node (Nokogiri::XML::Element)
Protection
- Upgrade to Nokogiri 1.19.4 or later — this is the primary mitigation.
- If you cannot upgrade immediately, avoid assigning a DTD or any non-element node via
Documentroot=. - Review your codebase for any usage of `Documentroot=` and ensure only element nodes are assigned.
- Use automated dependency scanning (e.g., Dependabot, Snyk) to detect vulnerable versions.
Impact
- Scope: CRuby implementation only (libxml2).
- Trigger: Programming error — explicit assignment of a non-element node as the document root.
- Effect: Heap use-after-free during garbage collection, leading to invalid memory read or segfault.
- Exploitability: Cannot be triggered by untrusted input or through normal API usage.
- Severity: Evaluated as Low by the Nokogiri maintainers.
- Discovered by: Zheng Yu from depthfirst.com.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
