{"vulnerability": "ghsa-phwj-rprq-35pp", "sightings": [{"uuid": "49d6bb83-d8b1-4026-9ad1-bf958d83427f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-phwj-rprq-35pp", "type": "seen", "source": "https://gist.github.com/alon710/21026fb050081ef961f3644c807713b6", "content": "# GHSA-PHWJ-RPRQ-35PP: GHSA-PHWJ-RPRQ-35PP: Use-After-Free Vulnerability in Nokogiri XML Attribute Value Modification\n\n&gt; **CVSS Score:** 2.3\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-PHWJ-RPRQ-35PP\n\n## Summary\nA use-after-free (UAF) vulnerability exists in the CRuby native extension of the Nokogiri gem when updating XML attribute values. If child nodes of an XML attribute are wrapped by Ruby objects prior to setting the attribute's value, the underlying C memory structures are freed while the Ruby wrapper retains a dangling pointer. This results in memory corruption, invalid pointer dereferences, and application crashes during execution or garbage collection.\n\n## TL;DR\nA use-after-free vulnerability in the Nokogiri gem's CRuby extension allows remote attackers to trigger process crashes or memory corruption when updating XML attribute values.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-416\n- **Vulnerability Class**: Use-After-Free (UAF)\n- **CVSS Score**: 2.3 (Low)\n- **Attack Vector**: Network\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n- **Patched Version**: 1.19.4\n\n## Affected Systems\n\n- Nokogiri (CRuby implementations)\n- **Nokogiri**: &lt; 1.19.4 (Fixed in: `1.19.4`)\n\n## Mitigation\n\n- Upgrade Nokogiri to version 1.19.4 or higher.\n- Avoid accessing internal child nodes of XML attributes directly before mutating their values.\n\n**Remediation Steps:**\n1. Modify Gemfile to enforce a minimum Nokogiri version of 1.19.4.\n2. Run 'bundle update nokogiri' to apply the patch.\n3. Verify dependencies and ensure no legacy transitively-locked versions of Nokogiri exist in the lockfile.\n\n## References\n\n- [GHSA-PHWJ-RPRQ-35PP Security Advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp)\n- [Nokogiri GitHub Repository](https://github.com/sparklemotion/nokogiri)\n- [Nokogiri 1.19.4 Patch Comparison](https://github.com/sparklemotion/nokogiri/compare/v1.19.3...v1.19.4)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-PHWJ-RPRQ-35PP) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T17:11:20.000000Z"}, {"uuid": "bec8cd38-6e1f-4cd1-b401-b03128cec71d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-phwj-rprq-35pp", "type": "seen", "source": "https://gist.github.com/alon710/61be013bad9ac90453bf311859cf9464", "content": "# GHSA-PHWJ-RPRQ-35PP: GHSA-PHWJ-RPRQ-35PP: Use-After-Free Vulnerability in Nokogiri XML Attribute Value Modification\n\n&gt; **CVSS Score:** 2.3\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-PHWJ-RPRQ-35PP\n\n## Summary\nA use-after-free (UAF) vulnerability exists in the CRuby native extension of the Nokogiri gem when updating XML attribute values. If child nodes of an XML attribute are wrapped by Ruby objects prior to setting the attribute's value, the underlying C memory structures are freed while the Ruby wrapper retains a dangling pointer. This results in memory corruption, invalid pointer dereferences, and application crashes during execution or garbage collection.\n\n## TL;DR\nA use-after-free vulnerability in the Nokogiri gem's CRuby extension allows remote attackers to trigger process crashes or memory corruption when updating XML attribute values.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-416\n- **Vulnerability Class**: Use-After-Free (UAF)\n- **CVSS Score**: 2.3 (Low)\n- **Attack Vector**: Network\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n- **Patched Version**: 1.19.4\n\n## Affected Systems\n\n- Nokogiri (CRuby implementations)\n- **Nokogiri**: &lt; 1.19.4 (Fixed in: `1.19.4`)\n\n## Mitigation\n\n- Upgrade Nokogiri to version 1.19.4 or higher.\n- Avoid accessing internal child nodes of XML attributes directly before mutating their values.\n\n**Remediation Steps:**\n1. Modify Gemfile to enforce a minimum Nokogiri version of 1.19.4.\n2. Run 'bundle update nokogiri' to apply the patch.\n3. Verify dependencies and ensure no legacy transitively-locked versions of Nokogiri exist in the lockfile.\n\n## References\n\n- [GHSA-PHWJ-RPRQ-35PP Security Advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp)\n- [Nokogiri GitHub Repository](https://github.com/sparklemotion/nokogiri)\n- [Nokogiri 1.19.4 Patch Comparison](https://github.com/sparklemotion/nokogiri/compare/v1.19.3...v1.19.4)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-PHWJ-RPRQ-35PP) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T17:22:09.000000Z"}]}