Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in Nokogiri’s native C extension. When a Ruby program replaces the value of an XML attribute, the underlying native child node can be freed while a Ruby wrapper remains in the document cache. Subsequent access or a garbage‑collection mark can dereference the invalid memory, resulting in an invalid read or a segmentation fault that can crash the process. This creates a denial of service condition for the affected Ruby application.

Affected Systems

Sparklemotion’s Nokogiri library for Ruby is affected. Any installation that uses a Nokogiri version older than 1.19.4 is vulnerable. The precise affected version range is not explicitly listed in the source, but the description indicates that all releases prior to 1.19.4, from the earliest 1.x series through 1.19.3, are potentially impacted.

Risk and Exploitability

The CVSS score of 1.7 indicates a low severity due to limited impact and a local exploitation surface. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is a local attacker or compromised application that can run arbitrary Ruby code with Nokogiri. Exploitation requires the ability to set an attribute’s value after the attribute has already been accessed, so the vulnerability is constrained to applications with that specific coding pattern.

Generated by OpenCVE AI on June 25, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nokogiri to version 1.19.4 or later.
  • Refactor any code that sets an attribute value after the attribute’s child nodes have been accessed, ensuring that the modification occurs before any child access.
  • If upgrading is not immediately possible, isolate the vulnerable code in a separate process or container to contain any crashes and prevent denial of service to the wider application.

Generated by OpenCVE AI on June 25, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`
Weaknesses CWE-416
CWE-825
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T14:53:19.607Z

Reserved: 2026-06-24T13:21:20.728Z

Link: CVE-2026-57435

cve-icon Vulnrichment

Updated: 2026-06-25T14:53:16.091Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T14:32:49Z

Links: CVE-2026-57435 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:23Z

Weaknesses