CVE-2021-3537: Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

The vulnerability (CVE-2021-3537) resides in the libxml2 C library, specifically in versions prior to 2.9.11, when parsing XML mixed content in recovery mode. Nokogiri bundles libxml2, and versions of Nokogiri using a vulnerable libxml2 (e.g., 2.9.10) are affected. The provided commit 9b90a8854f74b5f672a437ba0043a503bc259d1b explicitly upgrades libxml2 from 2.9.10 to 2.9.12, which patches this vulnerability. The identified Nokogiri functions, Nokogiri::XML::Document.parse and Nokogiri.XML, are the primary Ruby API entry points for parsing XML documents. These functions allow users to specify parse options, including recovery mode (Nokogiri::XML::ParseOptions::RECOVER). When these functions are invoked with recovery mode enabled on a version of Nokogiri that includes the vulnerable libxml2, they pass the input to the underlying vulnerable C code, potentially triggering the NULL pointer dereference and application crash. Therefore, these Nokogiri functions would appear in a runtime profile during the exploitation of this vulnerability.