GHSA-353f-x4gh-cqq8: 
Ruby vulnerability analysis and mitigation

Nokogiri v1.18.9 addresses multiple critical vulnerabilities in its vendored libxml2 library, identified as CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. The vulnerabilities were discovered and disclosed in July 2025, affecting all versions of Nokogiri below 1.18.9 when using CRuby (MRI) with vendored libxml2 (GitHub Advisory).

The vulnerabilities include multiple severe issues in libxml2: a stack-based buffer overflow in xmlBuildQName function (CVE-2025-6021, CVSS 7.5 High), a buffer overflow in xmllint's interactive shell (CVE-2025-6170, CVSS 2.5 Low), a use-after-free vulnerability in XPath parsing (CVE-2025-49794, CVSS 9.1 Critical), a NULL pointer dereference in XPath processing (CVE-2025-49795, CVSS 7.5 High), and a memory corruption issue in processing sch:name elements (CVE-2025-49796, CVSS 9.1 Critical) (GitHub Advisory, Red Hat CVE).

The vulnerabilities can lead to various severe consequences including denial of service, memory corruption, and potential code execution in certain configurations. The most critical issues (CVE-2025-49794 and CVE-2025-49796) have a CVSS score of 9.1, indicating potential for high impact on system integrity and availability when exploited (GitHub Advisory).

Users are strongly advised to upgrade to Nokogiri v1.18.9 or later to address these vulnerabilities. For users unable to upgrade, an alternative mitigation involves compiling and linking Nokogiri against patched external libxml2 libraries (GitHub Advisory).

The security community has actively responded to these vulnerabilities, with Red Hat issuing multiple security advisories and patches. The Nokogiri team has promptly addressed the issues by incorporating the fixes from upstream libxml2 patches (GitHub PR).