Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null pointer dereference in Nokogiri, an XML/HTML parsing library for Ruby. Prior to version 1.19.4, calling certain methods on allocated‑but‑uninitialized native wrapper classes that inherit from Nokogiri::XML::Node could trigger a crash of the process. The failure results in a denial of service rather than code execution, because the fault leads to an unhandled exception that terminates the application.

Affected Systems

The bug affects the Nokogiri library distributed by sparklemotion. Versions before 1.19.4 are vulnerable. This impact applies to any Ruby application that includes Nokogiri 1.19.3 or earlier. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 1.7 indicates low severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploits. The most likely attack vector is a local process executing Ruby code that includes Nokogiri – e.g., a web application that parses user‑supplied XML or HTML. The vulnerability does not provide a remote code execution path, but it can be exploited to crash the application if the attacker can supply input that triggers the uninitialized wrapper behavior.

Generated by OpenCVE AI on June 25, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nokogiri to version 1.19.4 or newer.
  • If an immediate upgrade is not possible, modify application code to avoid calling the affected methods on uninitialized wrapper classes or ensure proper initialization before invocation.
  • Implement application‑level exception handling or process restart mechanisms to mitigate the denial of service impact.

Generated by OpenCVE AI on June 25, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:48:24.125Z

Reserved: 2026-06-24T13:21:20.728Z

Link: CVE-2026-57434

cve-icon Vulnrichment

Updated: 2026-06-25T15:47:57.259Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T14:32:10Z

Links: CVE-2026-57434 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:25Z

Weaknesses