Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nokogiri, a widely used XML and HTML parser for Ruby, contains a flaw in its NodeSet indexing function. The library truncates the requested index to 32 bits before performing bounds checking, so a very large negative index can bypass the bounds check and read memory outside the node set. In the CRuby implementation this out‑of‑bounds read typically crashes the process, causing a denial‑of‑service. In JRuby the bug does not crash the JVM but returns an invalid node, which can lead to incorrect behavior or data leakage. The vulnerability may expose sensitive information or disrupt application execution, depending on the platform and deployment context.

Affected Systems

Ruby applications that depend on the Nokogiri gem before version 1.19.4 are affected. Based on common patterns, this includes many web frameworks that ship Nokogiri, such as Rails and Sinatra, as well as custom scripts or services that parse XML or HTML and may accept untrusted input. An application that calls Nokogiri::XML::NodeSet#[] or its alias #slice with a large negative index could trigger the flaw.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score is not available, implying no widespread, publicly known exploitation at the time of analysis. Since the vulnerability is not listed in CISA's KEV catalog, it is not a known exploited vulnerability. The likely attack vector is an attacker providing a crafted XML payload containing a large negative index to the Ruby application that processes untrusted XML. Local privilege is sufficient to trigger the crash, and the risk escalates if the application runs with elevated permissions or handles sensitive data. The attack would cause a denial of service or potentially leak memory contents, especially on CRuby installations.

Generated by OpenCVE AI on June 25, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nokogiri gem to v1.19.4 or newer.
  • Validate and sanitize XML/HTML input to prevent large negative indices before parsing.
  • Run the Ruby application with the least privileges necessary and restrict who can supply XML content to the parser.

Generated by OpenCVE AI on June 25, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`
Weaknesses CWE-125
CWE-190
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:41:16.630Z

Reserved: 2026-06-24T02:21:33.812Z

Link: CVE-2026-57235

cve-icon Vulnrichment

Updated: 2026-06-25T15:41:09.876Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T14:31:10Z

Links: CVE-2026-57235 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:27Z

Weaknesses