Listen to this Post
How GHSA-wfpw-mmfh-qq69 Works
The vulnerability resides in Nokogiri’s CRuby native extension, specifically within the `Nokogiri::XML::Nodedo_xinclude` method. When this method performs XInclude substitution, it replaces each `
The critical flaw arises when an application has already exposed one of these nodes or namespaces to Ruby prior to invoking do_xinclude. In such a case, the corresponding Ruby object continues to reference the now-freed memory. Subsequent use of that object can lead to invalid reads or writes, potentially causing memory corruption, application crashes, or in more severe scenarios, information disclosure or arbitrary code execution.
Nokogiri 1.19.4 remediates this by performing XInclude substitution on a defensive copy of the document rather than modifying the original in place. This ensures that the structures libxml2 frees are never the ones bound to live Ruby objects.
Only the CRuby implementation is affected; JRuby is not susceptible because it does not use the same native memory management. The Nokogiri maintainers have evaluated this as low severity because the vulnerable code path is not reached under normal usage patterns. To trigger the issue, an application must:
1. Parse a document without enabling XInclude processing.
- Traverse into an `
3. Only then invoke `do_xinclude` on the document.
The common and recommended practice—requesting XInclude at parse time via the `xinclude` option—operates on a freshly parsed document whose nodes are not yet exposed to Ruby, and is therefore unaffected. Nokogiri 1.19.4 makes the unsafe pattern safe by default, requiring no changes to application code.
DailyCVE Form:
Platform: Nokogiri CRuby
Version: < 1.19.4
Vulnerability: Use-After-Free
Severity: Low
Date: 2026-06-18
Prediction: 2026-06-18
What Undercode Say
Analytics:
- Affected Gem: nokogiri (CRuby platform)
- Affected Method: `Nokogiri::XML::Nodedo_xinclude`
– Root Cause: In-place XInclude substitution frees nodes that may still be referenced by Ruby objects - Attack Prerequisites: Unusual API-usage pattern (parse without XInclude → traverse → expose nodes → call
do_xinclude) - Common Safe Pattern: Parse with `xinclude: true` option
- Patch Behaviour: Operates on a defensive copy, leaving original nodes intact
Bash Commands & Codes:
Check installed Nokogiri version:
gem list nokogiri | grep nokogiri
Upgrade to the patched version:
gem update nokogiri or specify version explicitly gem install nokogiri -v 1.19.4
For Bundler users, update your `Gemfile`:
gem 'nokogiri', '>= 1.19.4'
Then run:
bundle update nokogiri
Vulnerable code pattern (DO NOT USE):
doc = Nokogiri::XML::Document.parse(xml) XInclude not enabled at parse time
include_node = doc.at_xpath('//xi:include') expose node to Ruby
... later ...
doc.root.do_xinclude triggers use-after-free on exposed node
Safe code pattern (parse-time XInclude):
doc = Nokogiri::XML::Document.parse(xml, nil, nil, Nokogiri::XML::ParseOptions::DEFAULT_XML | Nokogiri::XML::ParseOptions::XINCLUDE) XInclude processed on fresh document — nodes not yet exposed to Ruby
Safe code pattern (Nokogiri 1.19.4+):
doc = Nokogiri::XML::Document.parse(xml) even if nodes were exposed earlier, do_xinclude now operates on a defensive copy doc.root.do_xinclude safe in 1.19.4+
Exploit
To exploit this vulnerability, an attacker would need to craft an XML document containing `
1. Parse the XML without enabling XInclude.
- Traverse the document to obtain Ruby references to nodes within the `
3. Subsequently invoke `do_xinclude` on the document.
Once the substitution occurs, the attacker-controlled XML could cause the application to read from or write to freed memory when the application later uses the previously exposed Ruby objects. This could lead to:
– Denial of Service: Application crash due to invalid memory access.
– Information Disclosure: Reading sensitive data from freed memory that may contain application secrets or other user data.
– Potential Code Execution: In advanced scenarios, controlled writes to freed memory might be leveraged for arbitrary code execution, though this is unlikely given the low severity rating.
The attack surface is limited because the vulnerable pattern is uncommon and requires specific application logic. Most applications either enable XInclude at parse time or do not traverse into include subtrees before processing them.
Protection
Primary Mitigation: Upgrade to Nokogiri 1.19.4 or later. This version makes the unsafe pattern safe by default and requires no changes to application code.
Workaround for Earlier Versions: If upgrading is not immediately feasible, perform XInclude substitution at parse time using the `xinclude` parse option rather than calling `do_xinclude` on a document that has already been traversed. A freshly parsed document has no nodes exposed to Ruby, so the substitution is safe.
Example of safe parse-time XInclude:
doc = Nokogiri::XML::Document.parse(xml, nil, nil, Nokogiri::XML::ParseOptions::XINCLUDE)
General Recommendations:
- Audit your codebase for any uses of `do_xinclude` and ensure they are either removed or replaced with parse-time XInclude.
- If you must use
do_xinclude, ensure it is called immediately after parsing, before any traversal or node exposure occurs. - Consider using JRuby if you are on a platform where CRuby’s native memory management poses a risk, as JRuby is not affected by this vulnerability.
Impact
- Confidentiality: Low – Information disclosure is possible but requires the unusual API-usage pattern and specific memory conditions.
- Integrity: Low – Memory corruption could potentially be leveraged to alter application state, but exploitation is difficult and not reliable.
- Availability: Moderate – The most likely outcome is a denial of service through application crashes.
- Overall Severity: Low – The vulnerability is not reachable under normal usage, requires specific application logic to trigger, and is already patched in the latest release.
Affected Environments: Only CRuby implementations of Nokogiri prior to version 1.19.4. JRuby and other Ruby implementations are not affected.
Credits: This issue was responsibly reported by Zheng Yu from depthfirst.com.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
