Security Advisory: Nokogiri CVE Vulnerabilities

Current Status

Date: February 2, 2026
Current Nokogiri Version: 1.19.0
Current Ruby Version: 3.2.10
Status: ✅ RESOLVED - All security vulnerabilities patched

Identified Vulnerabilities

Critical & High Severity

1. GHSA-5w6v-399v-w3cc (Critical): Vendored libxml2 CVEs
   • Fixed in: Nokogiri v1.18.8
   • CVEs: CVE-2025-32414, CVE-2025-32415
2. GHSA-mrxw-mxhj-p664 (High): Packaged libxslt needs update to v1.1.43
   • Fixed in: Nokogiri v1.18.4
   • CVEs: CVE-2025-24855, CVE-2024-55549

Low Severity

1. GHSA-vvfq-8hwr-qm4m (Low): Packaged libxml2 to v2.13.8 and v2.13.6
   • Fixed in: Nokogiri v1.18.3, v1.18.8
   • CVEs: CVE-2025-32414, CVE-2025-32415, CVE-2025-24928, CVE-2024-56171

Root Cause

Nokogiri 1.18.x series (which contains the security fixes) requires Ruby >= 3.1.0, but this project is running Ruby 3.0.2.

The github-pages gem (v232) was last updated in August 2024 and pins dependencies to versions compatible with older Ruby versions, but does not yet support the patched Nokogiri versions.

Impact Assessment

The vulnerabilities affect XML/HTML parsing operations:

• CVE-2025-32414: Out-of-bounds memory access (Python API - low impact for Ruby users)
• CVE-2025-32415: Heap-based buffer under-read during XML schema validation
• CVE-2025-24928: Stack-buffer overflow in DTD validation error reporting
• CVE-2024-56171: Use-after-free during XML Schema validation

Risk Level: Moderate - These vulnerabilities primarily affect validation of untrusted XML documents against untrusted schemas. Static site generation with Jekyll typically does not involve these operations.

Recommended Solutions

Option 1: Upgrade Ruby (Recommended)

1. Upgrade Ruby to 3.1.0 or higher:

   # Using rbenv
   rbenv install 3.1.6  # or latest 3.x version
   rbenv local 3.1.6
      
   # Or using rvm
   rvm install 3.1.6
   rvm use 3.1.6
   

2. Update dependencies:

   bundle update nokogiri
   

3. Verify the update:

   bundle exec jekyll serve
   

Option 2: Override Nokogiri with Ruby Upgrade

If you upgrade Ruby, add this to Gemfile:

gem "nokogiri", ">= 1.18.8"

Then run:

bundle update nokogiri

Option 3: Accept Current Risk (Not Recommended)

If upgrading Ruby is not feasible immediately:

• Document the accepted risk
• Monitor for backported fixes to Nokogiri 1.17.x series (unlikely)
• Avoid processing untrusted XML documents
• Plan Ruby upgrade for near future

Verification Steps

After upgrading Ruby and updating Nokogiri:

1. Check Nokogiri version:

   bundle exec ruby -e "require 'nokogiri'; puts Nokogiri::VERSION"
   

2. Verify Ruby version:

   ruby --version
   

3. Test site build:

   bundle exec jekyll build
   bundle exec jekyll serve
   

4. The Dependabot alerts should automatically close after pushing changes to GitHub.

References

• Nokogiri Security Advisory GHSA-5w6v-399v-w3cc
• Nokogiri Security Advisory GHSA-mrxw-mxhj-p664
• Nokogiri Security Advisory GHSA-vvfq-8hwr-qm4m
• Nokogiri Changelog

Resolution Summary

The security vulnerabilities have been successfully resolved by:

1. Installed rbenv: Ruby version manager for managing multiple Ruby versions
2. Upgraded Ruby: From 3.0.2 to 3.2.10
3. Updated Nokogiri: From 1.17.2 to 1.19.0
4. Updated Gemfile: Added explicit Nokogiri version requirement >= 1.18.8
5. Verified Build: Jekyll site builds successfully with all updates

Nokogiri 1.19.0 includes fixes for all identified CVEs:

• CVE-2025-32414 ✅
• CVE-2025-32415 ✅
• CVE-2025-24928 ✅
• CVE-2024-56171 ✅
• CVE-2025-24855 ✅
• CVE-2024-55549 ✅

Timeline

• Feb 2, 2026: Security vulnerabilities identified
• Feb 2, 2026: Installed rbenv, upgraded Ruby to 3.2.10, updated Nokogiri to 1.19.0
• Status: ✅ RESOLVED