GHSA-5mwf-688x-mr7x: 
Ruby vulnerability analysis and mitigation

Nokogiri version 1.18.3 addresses security vulnerabilities by upgrading its dependency libxml2 to version 2.13.6. This update resolves two significant security issues: CVE-2025-24928 and CVE-2024-56171. The vulnerability affects Nokogiri versions below 1.18.3 and was published on February 18, 2025 (Nokogiri Advisory).

The vulnerability consists of two distinct issues in libxml2: First, a stack-buffer overflow vulnerability (CVE-2025-24928) that occurs during DTD validation error reporting when processing input containing long QName prefixes (approximately 3KB in length). Second, a use-after-free vulnerability (CVE-2024-56171) that manifests during XML Schema validation processes, particularly when handling xsd:keyref elements in combination with recursively defined types that have additional identity constraints (Ruby Advisory).

The impact varies between the two vulnerabilities. For CVE-2025-24928, attackers could potentially trigger a stack-buffer overflow by crafting XML documents with extremely long QName prefixes during DTD validation. For CVE-2024-56171, the vulnerability could lead to use-after-free conditions when validating either untrusted XML Schemas or when validating untrusted documents against trusted Schemas (Nokogiri Advisory).

Users should upgrade to Nokogiri version 1.18.3 or later, which includes the patched libxml2 version 2.13.6. This version addresses both CVE-2025-24928 and CVE-2024-56171 vulnerabilities (Ruby Advisory).