Impact
Nokogiri, a widely used XML and HTML parser for Ruby, contains a flaw in its NodeSet indexing function. The library truncates the requested index to 32 bits before performing bounds checking, so a very large negative index can bypass the bounds check and read memory outside the node set. In the CRuby implementation this out‑of‑bounds read typically crashes the process, causing a denial‑of‑service. In JRuby the bug does not crash the JVM but returns an invalid node, which can lead to incorrect behavior or data leakage. The vulnerability may expose sensitive information or disrupt application execution, depending on the platform and deployment context.
Affected Systems
Ruby applications that depend on the Nokogiri gem before version 1.19.4 are affected. Based on common patterns, this includes many web frameworks that ship Nokogiri, such as Rails and Sinatra, as well as custom scripts or services that parse XML or HTML and may accept untrusted input. An application that calls Nokogiri::XML::NodeSet#[] or its alias #slice with a large negative index could trigger the flaw.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity, and the EPSS score is not available, implying no widespread, publicly known exploitation at the time of analysis. Since the vulnerability is not listed in CISA's KEV catalog, it is not a known exploited vulnerability. The likely attack vector is an attacker providing a crafted XML payload containing a large negative index to the Ruby application that processes untrusted XML. Local privilege is sufficient to trigger the crash, and the risk escalates if the application runs with elevated permissions or handles sensitive data. The attack would cause a denial of service or potentially leak memory contents, especially on CRuby installations.
OpenCVE Enrichment