GHSA-xc9x-jj77-9p9j: 
Ruby vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-xc9x-jj77-9p9j) was identified in Nokogiri's packaged libxml2 library. The vulnerability affects Nokogiri versions >= 1.16.0 and < 1.16.2, as well as versions < 1.15.6. This issue specifically impacts the CRuby implementation of Nokogiri when using packaged libraries, while JRuby users are not affected. The vulnerability was discovered and disclosed in February 2024, with patches released in Nokogiri versions 1.15.6 and 1.16.2 (GitHub Advisory).

The vulnerability (CVE-2024-25062) occurs in the xmlTextReader module, which underlies Nokogiri::XML::Reader. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free condition. The issue has been assigned CWE-416 (Use After Free) and received a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Gnome GitLab).

The vulnerability affects applications using the XML Reader interface with both DTD validation and XInclude expansion enabled. When exploited, it can lead to a use-after-free condition in the xmlValidatePopElement function, potentially causing application crashes or other memory-related issues (GitHub Advisory).

Users are advised to upgrade to Nokogiri version ~> 1.15.6 or >= 1.16.2. For those unable to upgrade, an alternative mitigation involves compiling and linking Nokogiri against patched external libxml2 libraries. Users who have overridden defaults at installation time to use system libraries should monitor their distribution's libxml2 release announcements (GitHub Advisory).

The community response led to backporting security fixes to the 1.15.x branch, as evidenced by user requests and maintainer responses. This decision was made to support users who were unable to upgrade to newer versions due to various constraints (Nokogiri Discussion).