Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nokogiri, the Ruby XML/HTML parser, contains a use‑after‑free bug in its XInclude handling before version 1.19.4. When the library processes an <xi:include> element, it frees the include node and its children, leaving any Ruby objects that had previously been exposed to refer to deallocated memory. Using such an object can produce invalid reads or writes, potentially corrupting memory or enabling arbitrary code execution. This weakness corresponds to CWE‑416 and also to CWE‑825, indicating that freed memory can be accessed after deallocation.

Affected Systems

The vulnerability affects the Sparklemotion Nokogiri library for Ruby. Any application that installs Nokogiri prior to version 1.19.4 and uses XInclude processing is exposed. The issue is present in all releases before 1.19.4; upgrading to 1.19.4 or newer resolves the flaw.

Risk and Exploitability

The CVSS score of 2.2 reflects the low likelihood of exploitation; the EPSS score is currently unavailable, and the flaw is not listed in CISA's KEV catalog. Exploitation would require an attacker to control the XInclude content supplied to Nokogiri so that the freed node is later accessed through a Ruby object exposed by the application. Without such control, the risk remains limited. However, because the bug can lead to arbitrary memory writes, the potential impact, if exploited, could extend to code execution.

Generated by OpenCVE AI on June 26, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nokogiri gem to version 1.19.4 or newer
  • Audit application code to eliminate any exposure of <xi:include> nodes to Ruby objects
  • Ensure that the Gemfile and Gemfile.lock reference the updated Nokogiri version

Generated by OpenCVE AI on June 26, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Possible Use-After-Free in XInclude Processing
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 2.2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T16:23:43.395Z

Reserved: 2026-06-24T13:21:20.729Z

Link: CVE-2026-57438

cve-icon Vulnrichment

Updated: 2026-06-25T16:23:40.327Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T14:39:23Z

Links: CVE-2026-57438 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T14:00:22Z

Weaknesses