GHSA-vvfq-8hwr-qm4m: 
Ruby vulnerability analysis and mitigation

A security vulnerability was identified in Nokogiri's packaged libxml2 library, leading to the release of version 1.18.3 which updates libxml2 to version 2.13.6. This update addresses two distinct vulnerabilities: CVE-2025-24928 and CVE-2024-56171. The issue affects Nokogiri versions below 1.18.3 and was published on February 18, 2025 (GitHub Advisory).

The vulnerability encompasses two distinct issues in libxml2: First, a stack-buffer overflow vulnerability (CVE-2025-24928) that occurs during DTD validation error reporting when processing input containing long QName prefixes (approximately 3KB in length). Second, a use-after-free vulnerability (CVE-2024-56171) that manifests during XML Schema validation, particularly when processing untrusted XML Schemas or when validating untrusted documents against trusted Schemas that utilize xsd:keyref with recursively defined types having additional identity constraints (GitHub Advisory).

The vulnerabilities can lead to two types of security issues: For CVE-2025-24928, attackers could potentially trigger a stack-buffer overflow by crafting XML documents with extremely long QName prefixes during DTD validation. For CVE-2024-56171, attackers could cause a use-after-free condition when processing specially crafted XML Schemas or documents, particularly those involving xsd:keyref with recursive type definitions (GitHub Advisory).

The recommended mitigation is to upgrade to Nokogiri version 1.18.3 or later, which includes the patched libxml2 version 2.13.6. This update addresses both CVE-2025-24928 and CVE-2024-56171 (GitHub Advisory).