From 64ecf63ee0eddc9b26b020511ac1b46266a6d951 Mon Sep 17 00:00:00 2001 From: osv-robot Date: Sat, 20 Jun 2026 19:15:20 +0000 Subject: [PATCH] test: update snapshots --- .../__snapshots__/cassette_TestCommand.snap | 36 ++ .../cassette_TestCommand_MoreLockfiles.snap | 32 ++ .../cassette_TestCommand_Transitive.snap | 4 + .../__snapshots__/cassette_batch_query.snap | 16 + .../__snapshots__/cassette_single_query.snap | 414 +++++++++++++++++- 5 files changed, 495 insertions(+), 7 deletions(-) diff --git a/tools/apitester/__snapshots__/cassette_TestCommand.snap b/tools/apitester/__snapshots__/cassette_TestCommand.snap index e73c2f69d17..acaf58f30b9 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand.snap @@ -4829,6 +4829,10 @@ "id": "DEBIAN-CVE-2025-40909", "modified": "" }, + { + "id": "DEBIAN-CVE-2026-12087", + "modified": "" + }, { "id": "DEBIAN-CVE-2026-42496", "modified": "" @@ -5266,6 +5270,22 @@ "id": "DEBIAN-CVE-2026-3184", "modified": "" }, + { + "id": "DEBIAN-CVE-2026-53612", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-53613", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-53614", + "modified": "" + }, + { + "id": "DEBIAN-CVE-2026-53615", + "modified": "" + }, { "id": "DLA-3782-1", "modified": "" @@ -7128,6 +7148,10 @@ { "id": "PYSEC-2024-60", "modified": "" + }, + { + "id": "PYSEC-2026-215", + "modified": "" } ] }, @@ -7151,6 +7175,10 @@ { "id": "PYSEC-2024-60", "modified": "" + }, + { + "id": "PYSEC-2026-215", + "modified": "" } ] }, @@ -8092,6 +8120,10 @@ { "id": "PYSEC-2024-60", "modified": "" + }, + { + "id": "PYSEC-2026-215", + "modified": "" } ] }, @@ -8115,6 +8147,10 @@ { "id": "PYSEC-2024-60", "modified": "" + }, + { + "id": "PYSEC-2026-215", + "modified": "" } ] }, diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap b/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap index 106fd32f154..2e925da5980 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_MoreLockfiles.snap @@ -286,10 +286,26 @@ "id": "GHSA-353f-x4gh-cqq8", "modified": "" }, + { + "id": "GHSA-5prr-v3j2-97mh", + "modified": "" + }, + { + "id": "GHSA-5v8h-3h3q-446p", + "modified": "" + }, { "id": "GHSA-5w6v-399v-w3cc", "modified": "" }, + { + "id": "GHSA-8678-w3jw-xfc2", + "modified": "" + }, + { + "id": "GHSA-9cv2-cfxc-v4v2", + "modified": "" + }, { "id": "GHSA-c4rq-3m3g-8wgx", "modified": "" @@ -298,6 +314,14 @@ "id": "GHSA-mrxw-mxhj-p664", "modified": "" }, + { + "id": "GHSA-p67v-3w7g-wjg7", + "modified": "" + }, + { + "id": "GHSA-phwj-rprq-35pp", + "modified": "" + }, { "id": "GHSA-v2fc-qm4h-8hqv", "modified": "" @@ -306,6 +330,14 @@ "id": "GHSA-vvfq-8hwr-qm4m", "modified": "" }, + { + "id": "GHSA-wfpw-mmfh-qq69", + "modified": "" + }, + { + "id": "GHSA-wjv4-x9w8-wm3h", + "modified": "" + }, { "id": "GHSA-wx95-c6cv-8532", "modified": "" diff --git a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap index 42273d5739e..3d402465649 100755 --- a/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap +++ b/tools/apitester/__snapshots__/cassette_TestCommand_Transitive.snap @@ -1884,6 +1884,10 @@ { "id": "PYSEC-2024-60", "modified": "" + }, + { + "id": "PYSEC-2026-215", + "modified": "" } ] }, diff --git a/tools/apitester/__snapshots__/cassette_batch_query.snap b/tools/apitester/__snapshots__/cassette_batch_query.snap index 5c5504f971a..9ece27b5e24 100755 --- a/tools/apitester/__snapshots__/cassette_batch_query.snap +++ b/tools/apitester/__snapshots__/cassette_batch_query.snap @@ -10,6 +10,22 @@ { "id": "CVE-2021-22569", "modified": "" + }, + { + "id": "CVE-2022-1941", + "modified": "" + }, + { + "id": "CVE-2022-3171", + "modified": "" + }, + { + "id": "CVE-2022-3509", + "modified": "" + }, + { + "id": "CVE-2022-3510", + "modified": "" } ] } diff --git a/tools/apitester/__snapshots__/cassette_single_query.snap b/tools/apitester/__snapshots__/cassette_single_query.snap index 967345882bd..c1614262f69 100755 --- a/tools/apitester/__snapshots__/cassette_single_query.snap +++ b/tools/apitester/__snapshots__/cassette_single_query.snap @@ -63,7 +63,7 @@ "introduced": "0" }, { - "last_affected": "aee123fc83388b8f5acfb301d87bd92eccc5b843" + "fixed": "62e803b36173fd096d7ad460dd1d1db9be542593" } ], "database_specific": "" @@ -155,12 +155,13 @@ "introduced": "0" }, { - "fixed": "afcae83a064843d71d47624bc162e121cc56c08b" + "fixed": "85be877925ddbf34f74a1229f3ca1716bb6170dc" } - ] + ], + "database_specific": "" } ], - "versions": 159, + "versions": 160, "database_specific": "" } ], @@ -225,11 +226,15 @@ }, { "fixed": "b0af59229cc233a66106c696534ac39be56093d8" + }, + { + "fixed": "1265ff8d990284f04d8768f35b0e20ae5f60daae" } - ] + ], + "database_specific": "" } ], - "versions": 194, + "versions": 195, "database_specific": "" } ], @@ -2399,10 +2404,14 @@ { "introduced": "70812c2f32fc5734bcbbe572b9f61c380433ad6a" }, + { + "fixed": "83bedbd730d62b83744cc26fa0433d3f6e2e4cd6" + }, { "fixed": "27959ecce75cdb2809c0bdb3286e60e08fadb519" } - ] + ], + "database_specific": "" } ], "versions": 94, @@ -3499,6 +3508,7 @@ "SUSE-SU-2026:1717-1", "SUSE-SU-2026:1940-1", "SUSE-SU-2026:21452-1", + "SUSE-SU-2026:22146-1", "openSUSE-SU-2026:10674-1" ], "database_specific": "", @@ -3568,6 +3578,7 @@ "SUSE-SU-2026:1717-1", "SUSE-SU-2026:1940-1", "SUSE-SU-2026:21452-1", + "SUSE-SU-2026:22146-1", "openSUSE-SU-2026:10674-1" ], "database_specific": "", @@ -3697,6 +3708,7 @@ "SUSE-SU-2026:1717-1", "SUSE-SU-2026:1940-1", "SUSE-SU-2026:21452-1", + "SUSE-SU-2026:22146-1", "openSUSE-SU-2026:10674-1" ], "database_specific": "", @@ -3766,6 +3778,7 @@ "SUSE-SU-2026:1717-1", "SUSE-SU-2026:1940-1", "SUSE-SU-2026:21452-1", + "SUSE-SU-2026:22146-1", "openSUSE-SU-2026:10674-1" ], "database_specific": "", @@ -3835,6 +3848,7 @@ "SUSE-SU-2026:1717-1", "SUSE-SU-2026:1940-1", "SUSE-SU-2026:21452-1", + "SUSE-SU-2026:22146-1", "openSUSE-SU-2026:10674-1" ], "database_specific": "", @@ -4049,6 +4063,104 @@ ], "schema_version": "1.7.3" }, + { + "id": "GHSA-5prr-v3j2-97mh", + "summary": "Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`", + "details": "### Summary\n\n`Nokogiri::XML::NodeSet#[]` (and its alias `#slice`) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node.\n\nNokogiri 1.19.4 performs the bounds check against the full-width index.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as medium severity.\n\nExploitation requires an application to pass an attacker-controlled integer to `NodeSet#[]`. The primary impact is a controlled crash (denial of service), with potential for memory disclosure on CRuby.\n\nOn JRuby, Nokogiri is not affected by this vulnerability.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAs a workaround, applications that index a `NodeSet` with externally-supplied integers can validate the index against `node_set.length` before use, or avoid passing untrusted values as an index.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:36:42Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ] + }, + { + "id": "GHSA-5v8h-3h3q-446p", + "summary": "Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception", + "details": "### Summary\n\nCalling `Document#encoding=` with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to `Document#encoding` reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby `String`.\n\nAffects the CRuby (libxml2) implementation only; JRuby is not affected.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must pass an invalid encoding to `Document#encoding=`, rescue the resulting exception, and then continue using the same document. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. The document no longer references freed memory after the exception is raised.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nIf users are unable to upgrade, avoid passing attacker-controlled values to `Document#encoding=`. Applications that only assign developer-authored encodings are not directly exposed.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:35:58Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" + } + ] + }, { "id": "GHSA-5w6v-399v-w3cc", "summary": "Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415", @@ -4105,6 +4217,104 @@ ], "schema_version": "1.7.3" }, + { + "id": "GHSA-8678-w3jw-xfc2", + "summary": "Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247", + "details": "### Summary\n\nThe `NONET` parse option, which Nokogiri turns on by default for `Nokogiri::XML::Schema` (see [CVE-2020-26247](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m)), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks.\n\nNokogiri 1.19.4 replaces the scheme denylist with an allowlist. When `NONET` is enabled, only local resources (a `file:` scheme, or a relative or absolute path with no scheme) are resolved, and every network scheme is blocked, case-insensitively. This brings the JRuby behavior in line with CRuby.\n\nOnly the JRuby implementation is affected. CRuby is not affected, because libxml2's `xmlNoNetExternalEntityLoader` blocks all network schemes at the I/O layer regardless of scheme or case.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity (CVSS 2.6, `CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N`). It is a bypass of CVE-2020-26247, which was scored the same way.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nThere are no known workarounds for affected versions.\n\nThis change properly enforces `NONET` on JRuby, which is a breaking change for any code that (perhaps unknowingly) relied on the previous behavior to load network resources with default parse options. If you trust your input and want to allow external resources to be accessed over the network, you can explicitly disable `NONET`, exactly as documented for CVE-2020-26247:\n\n1. Ensure the input is trusted. Do not enable this option for untrusted input.\n2. Pass a `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off:\n\n``` ruby\n# allows resources to be accessed over the network for trusted input\nschema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)\n```\n\n### References\n\n- Bypass of: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m\n\n### Credit\n\nThis issue was responsibly reported by @bilerden.", + "modified": "", + "published": "2026-06-19T16:36:11Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ] + }, + { + "id": "GHSA-9cv2-cfxc-v4v2", + "summary": "Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes", + "details": "### Summary\n\nNokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from `Nokogiri::XML::Node`. This caused a NULL pointer dereference that could crash the process.\n\nNokogiri 1.19.4 checks for missing native data pointers and raises a `RuntimeError`.\n\nJRuby is not affected.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. This is only triggered by a programming error. It requires application code to call `.allocate` directly on a native-backed class and then invoke methods on the resulting uninitialized object. It cannot be triggered by untrusted input or through normal use of the public API.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAvoid calling `.allocate` directly on Nokogiri native-backed classes. Use the documented constructors and factory methods instead.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:36:23Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" + } + ] + }, { "id": "GHSA-c4rq-3m3g-8wgx", "summary": "Nokogiri CSS selector tokenizer has regular expression backtracking", @@ -4221,6 +4431,104 @@ } ] }, + { + "id": "GHSA-p67v-3w7g-wjg7", + "summary": "Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime", + "details": "### Summary\n\n`Nokogiri::XML::XPathContext` did not keep its source document alive for garbage collection. If an `XPathContext` outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault.\n\nThis is only reachable when application code constructs an `XPathContext` directly and lets the document become unreachable while continuing to use the context. The normal `Document#xpath`, `#css`, and related search methods are not affected, and it is not triggerable by malicious document input.\n\nNokogiri 1.19.4 makes `XPathContext` keep its source document alive for as long as the context exists.\n\nOnly the CRuby implementation is affected. JRuby is not affected.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must construct an `XML::XPathContext` directly and continue using it after allowing its source document to be garbage-collected. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. The context now keeps its source document alive for as long as it exists.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAs a workaround, ensure the source document remains referenced for as long as any `XPathContext` created from it is in use. The standard `Document#xpath`, `#css`, and related search methods already do this and are unaffected.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:37:13Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear" + } + ] + }, + { + "id": "GHSA-phwj-rprq-35pp", + "summary": "Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`", + "details": "### Summary\n\nNokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, `Nokogiri::XML::Attr#value=` could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault.\n\nNokogiri 1.19.4 preserves any already-wrapped attribute child nodes before replacing the attribute value.\n\nJRuby is not affected.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must directly access an attribute's child node and then replace that same attribute's value via `Attr#value=` or `#content=`. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. Already-wrapped attribute child nodes are preserved before the value is replaced.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAs a workaround, avoid accessing attribute child nodes directly via `Attr#child` or similar before mutating the same attribute’s value.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:37:46Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" + } + ] + }, { "id": "GHSA-v2fc-qm4h-8hqv", "summary": "Nokogiri XSLT transform has a memory leak", @@ -4319,6 +4627,98 @@ ], "schema_version": "1.7.3" }, + { + "id": "GHSA-wfpw-mmfh-qq69", + "summary": "Nokogiri: Possible Use-After-Free in XInclude Processing", + "details": "### Summary\n\nXInclude substitution performed by `Nokogiri::XML::Node#do_xinclude` replaced each `\u003cxi:include\u003e` in place, freeing the include node along with its children (such as `\u003cxi:fallback\u003e` and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory.\n\nNokogiri 1.19.4 substitutes each `\u003cxi:include\u003e` on a defensive copy by default, so the structures libxml2 frees are never the ones bound to live Ruby objects.\n\nOnly the CRuby implementation is affected; JRuby is not affected.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must parse a document without XInclude, traverse into an `\u003cxi:include\u003e` subtree to expose its nodes or namespaces to Ruby, and only then invoke XInclude processing. The common case, requesting XInclude at parse time, operates on a freshly parsed document whose nodes are not yet exposed to Ruby and is not affected. Nokogiri 1.19.4 makes this pattern safe by default and requires no change to application code.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAs a workaround for earlier versions, perform XInclude substitution at parse time (with the `xinclude` parse option) rather than calling `#do_xinclude` on a document that has already been traversed. A freshly parsed document has no nodes exposed to Ruby, so the substitution is safe.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:37:25Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5" + }, + { + "id": "GHSA-wjv4-x9w8-wm3h", + "summary": "Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type", + "details": "### Summary\n\n`Nokogiri::XML::Document#root=` validated only that the new root was a `Nokogiri::XML::Node`, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault.\n\nNokogiri 1.19.4 restricts `Document#root=` to element nodes, raising `TypeError` for any other node type.\n\nThis memory-safety issue affects only the CRuby implementation (libxml2). The JRuby implementation was not affected; the same input validation was added there for behavioral parity.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. This is only triggered by a programming error. It requires application code to assign a non-element node such as a DTD as the document root via `Document#root=`. Nokogiri 1.19.4 now raises `TypeError` instead of allowing a use-after-free. It cannot be triggered by untrusted input or through normal use of the public API.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAs a workaround, applications that cannot upgrade should avoid assigning a DTD (or any non-element node) via `Document#root=`.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.", + "modified": "", + "published": "2026-06-19T16:36:59Z", + "database_specific": "", + "references": [ + { + "type": "WEB", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h" + }, + { + "type": "PACKAGE", + "url": "https://github.com/sparklemotion/nokogiri" + } + ], + "affected": [ + { + "package": { + "name": "nokogiri", + "ecosystem": "RubyGems", + "purl": "pkg:gem/nokogiri" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.4" + } + ] + } + ], + "versions": 194, + "database_specific": "" + } + ], + "schema_version": "1.7.5", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" + } + ] + }, { "id": "GHSA-wx95-c6cv-8532", "summary": "Nokogiri does not check the return value from xmlC14NExecute",