GHSA-v2fc-qm4h-8hqv: Nokogiri XSLT transform has a memory leak

May 6, 2026

Nokogiri’s Nokogiri::XSLT::Stylesheet#transform leaks a small heap allocation when passed a Ruby string parameter containing a null byte.

For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against long-running processes.

References

github.com/advisories/GHSA-v2fc-qm4h-8hqv
github.com/sparklemotion/nokogiri
github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv

Code Behaviors & Features

Detect and mitigate GHSA-v2fc-qm4h-8hqv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →