Impact
Nokogiri’s Document#root= method previously only verified that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. This oversight triggers a heap use‑after‑free during garbage collection or finalization, resulting in an invalid memory read or a segmentation fault. The weakness is classified as both CWE-416: Use-After‑Free and CWE-1287.
Affected Systems
The vulnerability affects the Nokogiri XML/HTML library for the Ruby programming language, distributed by Sparklemotion. All releases prior to version 1.19.4 are susceptible. Ruby applications that load or parse XML/HTML via Nokogiri and subsequently set the document root with untrusted content may be impacted.
Risk and Exploitability
The CVSS score of 1.7 indicates a low overall severity, and the EPSS score is <1% (0.00312), suggesting low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local or application‑specific; an attacker must be able to inject a DTD node into the Nokogiri parsing process to trigger the use‑after‑free. If successful, the result may be a crash or denial of service for the impacted Ruby process. The mitigated state is restored by applying the patch introduced in version 1.19.4.
OpenCVE Enrichment