numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsl

The use-after-free vulnerability in libxslt, as exploited through Nokogiri, allows an attacker to potentially execute arbitrary code on a vulnerable system. This occurs due to improper handling of XPath context nodes, leading to memory corruption. Successful exploitation could allow an attacker to gain control of the application server, access sensitive data, or even compromise the entire system. The MITRE assessment highlights potential for high impact, including confidentiality and integrity compromises, and the ability to achieve remote code execution with no user interaction. This vulnerability shares similarities with other memory corruption exploits, where attackers can manipulate memory to achieve unauthorized access or control.

Ruby applications that rely on Nokogiri for XML parsing are at risk. This includes web applications, data processing pipelines, and any system using Nokogiri to handle XML data. Specifically, systems using older versions of Nokogiri, or those running in environments with limited patching capabilities, are particularly vulnerable.

• ruby / gem: gem list nokogiri to check installed version. If ≤1.9.1, the system is vulnerable. grep -r 'xsltEvalXPathStringNs' * within the Nokogiri gem directory to identify potential usage of the vulnerable function. • generic web: Examine application logs for unusual XPath expressions or errors related to XML processing. Monitor network traffic for suspicious requests targeting XML endpoints. • linux / server: Monitor system logs for crashes or errors related to libxslt. Use lsof to identify processes using libxslt and investigate their behavior.

1. 2025-03-14Disclosure

   disclosure

1. 已保留2025-01-26
2. 发布日期2025-03-14
3. 修改日期2026-02-26
4. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2025-24855 is to upgrade Nokogiri to version 1.18.4 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily isolating vulnerable systems or implementing stricter network controls to limit potential attack vectors. While a direct workaround is not available, implementing Web Application Firewall (WAF) rules to filter potentially malicious XPath expressions could provide a temporary layer of defense. After upgrading, verify the fix by attempting to trigger the XPath evaluation that previously exposed the vulnerability and confirming that no errors or crashes occur.