Nokogiri v1.19.4 - CRuby and JRuby Security Fixes

   |   4 minute read   |   Using 652 words

Nokogiri v1.19.4 was published on June 18, 2026, with security fixes for Ruby XML users on CRuby and JRuby. The most important item is the medium severity bounds fix in XML::NodeSet#[], because the same path is also exposed through #slice. This release is not marked as a prerelease.

The full release notes and downloads are on the GitHub release page.

CRuby memory safety fixes

Most of this release is about tightening CRuby wrapper behavior around XML objects. The notes list several low severity memory lifetime bugs that could lead to invalid reads or use after free behavior in unusual call paths.

The affected areas are not obscure internals only. They include copying nodes through XML::Node#initialize_copy_with_args, assigning Document#root=, changing Document#encoding=, setting an attribute through XML::Attr#value= or #content=, and running XInclude with Node#do_xinclude.

That matters for applications that accept XML and then pass document objects through helper code, background jobs, or plugin style extension points. These bugs need a narrow shape to trigger, but XML object lifetime issues are exactly the sort of thing that makes production failures unpleasant to debug. A clean security patch is the correct response here.

The release notes link each issue to a GitHub security advisory. That is useful for teams that need to map the update into ticket queues, scanner exceptions, or audit evidence without guessing which Ruby method was involved.

XML::NodeSet#[] gets a bounds fix

The one medium severity item is an out of bounds read in XML::NodeSet#[], also available as #slice, when the caller passes a large negative index. That is a small API surface, but it is a normal method that application code can call directly.

For Ruby services that parse HTML or XML from outside the trust boundary, this is worth treating as a routine security update. Code that indexes node sets from user influenced selectors should not need special guard code just to avoid native extension reads. The extension should reject bad indexes safely, and this release moves that path in the right direction.

This is also the fix most likely to show up in dependency scanners as the headline item, since it is the only medium severity entry in the notes. The rest of the CRuby fixes still matter, but this one is easier to connect to normal application code.

JRuby schema parsing now honors NONET

Nokogiri enables the NONET parse option by default, but this release notes that XML::Schema on JRuby did not enforce it. With default options, schema parsing could still fetch external resources over the network.

The practical risk is SSRF or XXE style behavior, and the notes call out that this could bypass the mitigation for CVE-2020-26247. If the same codebase runs on both CRuby and JRuby, this is the kind of runtime difference that can hide in CI for too long. After v1.19.4, the JRuby path is brought back in line with the expected default network block.

This fix is especially relevant for teams that validate XML against schemas supplied by customers, partners, or upstream systems. Default parser options are only useful when every runtime enforces them the same way. JRuby users should not treat this as a cosmetic parity patch.

Checksums help package verification

The release includes SHA256 checksums for the published gem artifacts. The list covers Linux GNU and musl builds, Darwin builds, Windows UCRT, Java, and the generic gem.

For most teams, Bundler and RubyGems handle the boring part. Operators who mirror gems, build base images, or maintain private package caches may still want the checksums from the release page. They provide a simple way to confirm the artifact that entered the build pipeline is the artifact Nokogiri published.

The notes do not describe migration steps or breaking API changes. The shape of the release is patch update first, audit paperwork second, and no drama if dependency constraints allow the new gem.

Where to get it



denis256 at denis256.dev