nokogiri uses the libxml2 C library. The version that nokogiri uses is vulnerable to CVE-2017-5969 which allows a malicious user to pass a file to the application, triggering a null pointer dereference causing it to crash.