{"id":"GHSA-v2fc-qm4h-8hqv","summary":"Nokogiri XSLT transform has a memory leak","details":"## Summary\n\nNokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.\n\nFor applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.19.3`.\n\nUsers may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.\n\nEach leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.\n\nApplications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.\n\n\n## Resources\n\n- [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @Captainjack-kor.","modified":"2026-05-09T10:44:28.032980854Z","published":"2026-05-06T18:27:38Z","related":["CGA-pv73-vfgr-mg7p"],"database_specific":{"github_reviewed":true,"cwe_ids":["CWE-401"],"severity":"MODERATE","nvd_published_at":null,"github_reviewed_at":"2026-05-06T18:27:38Z"},"references":[{"type":"WEB","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv"},{"type":"PACKAGE","url":"https://github.com/sparklemotion/nokogiri"}],"affected":[{"package":{"name":"nokogiri","ecosystem":"RubyGems","purl":"pkg:gem/nokogiri"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.19.3"}]}],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.1","1.10.0","1.10.0.rc1","1.10.1","1.10.10","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10.8","1.10.9","1.11.0","1.11.0.rc1","1.11.0.rc2","1.11.0.rc3","1.11.0.rc4","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.12.0","1.12.0.rc1","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.13.0","1.13.1","1.13.10","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.13.7","1.13.8","1.13.9","1.14.0","1.14.0.rc1","1.14.1","1.14.2","1.14.3","1.14.4","1.14.5","1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.15.5","1.15.6","1.15.7","1.16.0","1.16.0.rc1","1.16.1","1.16.2","1.16.3","1.16.4","1.16.5","1.16.6","1.16.7","1.16.8","1.17.0","1.17.1","1.17.2","1.18.0","1.18.0.rc1","1.18.1","1.18.10","1.18.2","1.18.3","1.18.4","1.18.5","1.18.6","1.18.7","1.18.8","1.18.9","1.19.0","1.19.1","1.19.2","1.2.0","1.2.1","1.2.2","1.2.3","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.2","1.4.2.1","1.4.3","1.4.3.1","1.4.4","1.4.4.1","1.4.4.2","1.4.5","1.4.6","1.4.7","1.5.0","1.5.0.beta.1","1.5.0.beta.2","1.5.0.beta.3","1.5.0.beta.4","1.5.1","1.5.1.rc1","1.5.10","1.5.11","1.5.2","1.5.3","1.5.3.rc2","1.5.3.rc3","1.5.3.rc4","1.5.3.rc5","1.5.3.rc6","1.5.4","1.5.4.rc1","1.5.4.rc2","1.5.4.rc3","1.5.5","1.5.5.rc1","1.5.5.rc2","1.5.5.rc3","1.5.6","1.5.6.rc1","1.5.6.rc2","1.5.6.rc3","1.5.7","1.5.7.rc1","1.5.7.rc2","1.5.7.rc3","1.5.8","1.5.9","1.6.0","1.6.0.rc1","1.6.1","1.6.2","1.6.2.1","1.6.2.rc1","1.6.2.rc2","1.6.2.rc3","1.6.3","1.6.3.1","1.6.3.rc1","1.6.3.rc2","1.6.3.rc3","1.6.4","1.6.4.1","1.6.5","1.6.6.1","1.6.6.2","1.6.6.3","1.6.6.4","1.6.7","1.6.7.1","1.6.7.2","1.6.7.rc2","1.6.7.rc3","1.6.7.rc4","1.6.8","1.6.8.1","1.6.8.rc1","1.6.8.rc2","1.6.8.rc3","1.7.0","1.7.0.1","1.7.1","1.7.2","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.9.0","1.9.0.rc1","1.9.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v2fc-qm4h-8hqv/GHSA-v2fc-qm4h-8hqv.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}