GHSA-xxx9-3xcr-gjj3: 
Ruby vulnerability analysis and mitigation

The vulnerability (GHSA-xxx9-3xcr-gjj3) affects the Apache Xerces Java (XercesJ) XML parser implementation in Nokogiri versions below 1.13.4. This security issue was discovered and disclosed in April 2022, specifically impacting the JRuby implementation of Nokogiri that uses xerces:xercesImpl versions prior to 2.12.2. The vulnerability has been assigned a CVSS score of 6.5 (Medium severity) (GitHub Advisory, NVD).

The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop'). When handling specially crafted XML document payloads, the XercesJ XML parser enters an infinite loop condition. The vulnerability has a CVSS v3.1 base score of 6.5 with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: Required, Scope: Unchanged, Confidentiality: None, Integrity: None, Availability: High (NVD).

The primary impact of this vulnerability is on system availability. When exploited, the vulnerability causes the XercesJ XML parser to enter an infinite loop, which can consume system resources for prolonged periods, potentially leading to a denial of service condition (GitHub Advisory).

The recommended mitigation is to upgrade to Nokogiri version 1.13.4 or later, which includes the patched xerces:xercesImpl version 2.12.2. This update specifically addresses the infinite loop vulnerability in the XML parser (Nokogiri Release).

The vulnerability was acknowledged and addressed by multiple organizations, including Oracle and NetApp, who released their own security advisories and patches (Oracle Advisory, NetApp Advisory).