GHSA-mrxw-mxhj-p664: 
Ruby vulnerability analysis and mitigation

Nokogiri v1.18.4 addresses multiple high-severity vulnerabilities by upgrading its dependency libxslt to v1.1.43. The vulnerability was published on March 14, 2025, and affects all versions of Nokogiri below 1.18.4 (GitHub Advisory).

The vulnerability encompasses two distinct use-after-free issues in libxslt: CVE-2025-24855 involves a use-after-free condition in nested XPath evaluations where an XPath context node can be modified but never restored, affecting components like xsltNumberFormatGetValue and xsltEvalXPathStringNs. CVE-2024-55549 relates to a use-after-free issue in xsltGetInheritedNsList concerning the exclusion of result prefixes. Both vulnerabilities have been assigned a CVSS v3.1 score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H (GitHub Advisory).

The vulnerabilities can lead to high impacts on system integrity and availability, though confidentiality is not affected. The CVSS score of 7.8 indicates that while the attack complexity is high and requires local access, successful exploitation could result in significant system compromise (GitHub Advisory).

Users should upgrade to Nokogiri version 1.18.4 or later, which includes the patched libxslt v1.1.43 that resolves both CVE-2025-24855 and CVE-2024-55549 (GitHub Advisory).