Listen to this Post
How GHSA-p67v-3w7g-wjg7 Works
Nokogiri is a popular Ruby gem for parsing HTML and XML. Prior to version 1.19.4, the `Nokogiri::XML::XPathContext` class did not maintain a reference to its source document for garbage collection purposes. When an application creates an `XPathContext` directly from a document and then allows that document to become unreachable (e.g., by letting all references to it go out of scope), the Ruby garbage collector may free the underlying document’s memory. If the application subsequently uses the same `XPathContext` to evaluate an XPath expression, the context attempts to access the already-freed document memory. This results in a read of invalid memory, which can cause a segmentation fault (segfault) and crash the Ruby process.
This vulnerability is not reachable through normal usage patterns. The standard Documentxpath, css, and related search methods are unaffected because they internally manage the document’s lifetime correctly. The issue only arises when application code explicitly constructs an `XML::XPathContext` and continues using it after dropping all references to the source document. It is not triggerable by malicious document input—the application itself must create the risky usage pattern.
The fix in Nokogiri 1.19.4 ensures that the `XPathContext` keeps its source document alive for as long as the context object exists, preventing the use-after-free condition. Only the CRuby (MRI) implementation is affected; JRuby is not vulnerable because it uses a different memory management model.
The Nokogiri maintainers have evaluated this issue as low severity because exploiting it requires an unusual API‑usage pattern that does not occur during normal development. No public exploits are known, and the fix is backward-compatible with no changes to the public API.
DailyCVE Form:
Platform: CRuby (MRI)
Version: < 1.19.4
Vulnerability: Use-After-Free
Severity: Low
date: 2026-06-18
Prediction: 2026-06-18
What Undercode Say
Analytics:
- Affected component: `Nokogiri::XML::XPathContext`
– Attack vector: Local (requires malicious or poorly-coded application) - Exploitability: Low (unusual API usage)
- CVSS v3 score: Not assigned (low severity)
- Public exploits: None known
Bash commands & codes:
Check installed Nokogiri version:
gem list nokogiri
Upgrade to the patched version:
gem update nokogiri or in Bundler: bundle update nokogiri
Verify the fix is applied:
ruby -e "require 'nokogiri'; puts Nokogiri::VERSION" Should output 1.19.4 or higher
Vulnerable code pattern (DO NOT USE):
require 'nokogiri'
doc = Nokogiri::XML('<root><a>1</a></root>')
ctx = Nokogiri::XML::XPathContext.new(doc)
doc = nil document becomes unreachable
GC.start garbage collector frees the document
ctx is still used -> reads invalid memory, may segfault
result = ctx.evaluate('//a')
Exploit
To trigger the vulnerability, an attacker must already have the ability to influence application code to construct an `XPathContext` directly and then allow the document to be garbage-collected while the context remains in use. This is not exploitable by sending malicious input; it is a programmer error. No remote code execution or privilege escalation is possible—only a denial of service via process crash.
Protection
- Upgrade to Nokogiri 1.19.4 or later.
- If unable to upgrade, ensure the source document remains referenced for as long as any `XPathContext` created from it is in use.
- Use the standard `Documentxpath` and `css` methods, which are already safe.
Impact
- Use-after-free condition when evaluating XPath expressions on a context whose document has been garbage-collected.
- Potential segmentation fault and application crash (denial of service).
- No data corruption, information disclosure, or remote code execution.
- Only affects CRuby (MRI) implementations; JRuby is not vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
