GHSA-353f-x4gh-cqq8: 
Ruby vulnerability analysis and mitigation

Nokogiri v1.18.9 addresses multiple critical vulnerabilities in its vendored libxml2 library, including CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. The vulnerabilities were discovered and disclosed in June 2025, affecting Nokogiri versions below 1.18.9 when using CRuby (MRI) with vendored libxml2 (GitHub Advisory).

The vulnerabilities encompass multiple security issues in libxml2: a stack-based buffer overflow in xmlBuildQName function (CVE-2025-6021, CVSS 7.5 High), a buffer overflow in xmllint's interactive shell (CVE-2025-6170, CVSS 2.5 Low), a use-after-free vulnerability in XPath parsing (CVE-2025-49794, CVSS 9.1 Critical), a NULL pointer dereference in XPath XML expression processing (CVE-2025-49795, CVSS 7.5 High), and a memory corruption issue in processing sch:name elements (CVE-2025-49796, CVSS 9.1 Critical) (GitHub Advisory).

The vulnerabilities can lead to various severe consequences including denial of service, memory corruption, potential code execution in specific configurations, and possible exposure of sensitive data through memory corruption. Two of the vulnerabilities (CVE-2025-49794 and CVE-2025-49796) are rated Critical with CVSS scores of 9.1, while two others are rated High with CVSS scores of 7.5 (GitHub Advisory).

Users are advised to upgrade to Nokogiri v1.18.9 or later to address these vulnerabilities. For users unable to upgrade, an alternative mitigation strategy is available: compile and link Nokogiri against patched external libxml2 libraries. The fixes involve applying specific patches from the libxml2 repository, including commits 17d950ae, 5e9ec5c1, 81cef8c5, and 62048278 (GitHub Advisory).