Impact
The vulnerability is a null pointer dereference in Nokogiri, an XML/HTML parsing library for Ruby. Prior to version 1.19.4, calling certain methods on allocated‑but‑uninitialized native wrapper classes that inherit from Nokogiri::XML::Node could trigger a crash of the process. The failure results in a denial of service rather than code execution, because the fault leads to an unhandled exception that terminates the application.
Affected Systems
The bug affects the Nokogiri library distributed by sparklemotion. Versions before 1.19.4 are vulnerable. This impact applies to any Ruby application that includes Nokogiri 1.19.3 or earlier. No other vendors or products are listed.
Risk and Exploitability
The CVSS score of 1.7 indicates low severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploits. The most likely attack vector is a local process executing Ruby code that includes Nokogiri – e.g., a web application that parses user‑supplied XML or HTML. The vulnerability does not provide a remote code execution path, but it can be exploited to crash the application if the attacker can supply input that triggers the uninitialized wrapper behavior.
OpenCVE Enrichment