Impact
Nokogiri, an XML/HTML parser for Ruby, contains a use‑after‑free flaw in the Document#encoding= method. When an invalid encoding is supplied—such as a non‑string or a string with a null byte—the method throws an exception after freeing the current encoding string without replacing it. The document then holds a dangling reference, and a subsequent read of the encoding may access freed memory, potentially causing an application crash or leaking data into Ruby Strings.
Affected Systems
The affected product is the Sparklemotion Nokogiri library, versions earlier than 1.19.4, on the CRuby (libxml2) implementation. JRuby is not impacted.
Risk and Exploitability
The CVSS score is 1.7, indicating low severity, and the EPSS score is not reported. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require local code that constructs a Nokogiri Document and passes an invalid encoding string; there is no known remote exploit, so likelihood of attack remains low.
OpenCVE Enrichment