Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nokogiri’s Document#root= method previously only verified that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. This oversight triggers a heap use‑after‑free during garbage collection or finalization, resulting in an invalid memory read or a segmentation fault. The weakness is classified as both CWE-416: Use-After‑Free and CWE-1287.

Affected Systems

The vulnerability affects the Nokogiri XML/HTML library for the Ruby programming language, distributed by Sparklemotion. All releases prior to version 1.19.4 are susceptible. Ruby applications that load or parse XML/HTML via Nokogiri and subsequently set the document root with untrusted content may be impacted.

Risk and Exploitability

The CVSS score of 1.7 indicates a low overall severity, and the EPSS score is <1% (0.00312), suggesting low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local or application‑specific; an attacker must be able to inject a DTD node into the Nokogiri parsing process to trigger the use‑after‑free. If successful, the result may be a crash or denial of service for the impacted Ruby process. The mitigated state is restored by applying the patch introduced in version 1.19.4.

Generated by OpenCVE AI on June 29, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nokogiri to version 1.19.4 or later to ensure the root node type is properly validated
  • Validate that any node assigned to Document#root= is a legitimate Nokogiri::XML::Node and not a DTD before calling the method
  • If an immediate upgrade is not feasible, restrict the application to accept only trusted XML/HTML content and monitor for segmentation faults or crashes

Generated by OpenCVE AI on June 29, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Fri, 26 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T23:27:34.410Z

Reserved: 2026-06-24T13:21:20.729Z

Link: CVE-2026-57436

cve-icon Vulnrichment

Updated: 2026-06-25T23:27:29.725Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T14:33:29Z

Links: CVE-2026-57436 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:15:05Z

Weaknesses
  • CWE-1287

    Improper Validation of Specified Type of Input

  • CWE-416

    Use After Free