Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nokogiri is an open‑source XML and HTML parsing library for Ruby. A defect in releases prior to 1.19.4 allows the class Nokogiri::XML::XPathContext to outlive its source document without retaining a reference, so the garbage collector can free the document while the context is still in use. This issue combines a use‑after‑free vulnerability (CWE‑416) with an improper object lifetime violation (CWE‑771). Evaluating an XPath expression with such an obsolete context can access invalid memory, leading to a segmentation fault. The flaw is not triggered by malicious input and is only exploitable when an application constructs an XPathContext directly and then lets the associated document become unreachable; it does not provide an attacker with code execution or data disclosure but can cause application crashes and potential denial of service.

Affected Systems

The vendor is Sparklemotion Nokogiri for the Ruby programming language. All releases of the Nokogiri gem before 1.19.4 are affected. There are no specific vendor component or subcomponent limitations beyond the Ruby library itself.

Risk and Exploitability

The CVSS base score is 1.7, reflecting a low‑severity threat. EPSS score is < 1%, indicating a very low chance of exploitation. The vulnerability is not listed in CISA’s KEV catalog, meaning no publicly known exploits are in use. Because the flaw requires the application to instantiate XPathContext directly and to allow the source document to become unreachable, exploitation is limited to a design error rather than an attack surface. The primary impact is a denial‑of‑service through segfault; the likelihood of exploitation is low under normal use, but any code path that mismanages document lifetimes could trigger it.

Generated by OpenCVE AI on June 27, 2026 at 02:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Nokogiri gem to version 1.19.4 or later to apply the official fix.
  • Refactor any application code that creates Nokogiri::XML::XPathContext directly so that the context does not outlive its source document; prefer using Document#xpath or Document#css methods instead.
  • Add unit and integration tests to verify that no XPathContext objects remain after their corresponding documents are released, and conduct a code audit to locate and correct any remaining misuse.

Generated by OpenCVE AI on June 27, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-771
References
Metrics threat_severity

None

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:00:01.455Z

Reserved: 2026-06-24T13:21:20.729Z

Link: CVE-2026-57437

cve-icon Vulnrichment

Updated: 2026-06-25T14:59:58.003Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T14:34:09Z

Links: CVE-2026-57437 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:30:03Z

Weaknesses
  • CWE-416

    Use After Free

  • CWE-771

    Missing Reference to Active Allocated Resource