Impact
Nokogiri, the Ruby XML/HTML parser, contains a use‑after‑free bug in its XInclude handling before version 1.19.4. When the library processes an <xi:include> element, it frees the include node and its children, leaving any Ruby objects that had previously been exposed to refer to deallocated memory. Using such an object can produce invalid reads or writes, potentially corrupting memory or enabling arbitrary code execution. This weakness corresponds to CWE‑416 and also to CWE‑825, indicating that freed memory can be accessed after deallocation.
Affected Systems
The vulnerability affects the Sparklemotion Nokogiri library for Ruby. Any application that installs Nokogiri prior to version 1.19.4 and uses XInclude processing is exposed. The issue is present in all releases before 1.19.4; upgrading to 1.19.4 or newer resolves the flaw.
Risk and Exploitability
The CVSS score of 2.2 reflects the low likelihood of exploitation; the EPSS score is currently unavailable, and the flaw is not listed in CISA's KEV catalog. Exploitation would require an attacker to control the XInclude content supplied to Nokogiri so that the freed node is later accessed through a Ruby object exposed by the application. Without such control, the risk remains limited. However, because the bug can lead to arbitrary memory writes, the potential impact, if exploited, could extend to code execution.
OpenCVE Enrichment