GHSA-wx95-c6cv-8532: Nokogiri does not check the return value from xmlC14NExecute

February 18, 2026

Nokogiri’s CRuby extension fails to check the return value from xmlC14NExecute in the method Nokogiri::XML::Document#canonicalize and Nokogiri::XML::Node#canonicalize. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises RuntimeError on canonicalization failure.

References

github.com/advisories/GHSA-wx95-c6cv-8532
github.com/sparklemotion/nokogiri
github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532

Code Behaviors & Features

Detect and mitigate GHSA-wx95-c6cv-8532 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →