Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H captures the three-step exploitation chain; C:L reflects the potential heap byte leak noted in the advisory and information disclosure tag.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.
AnalysisAI
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three specific conditions must align simultaneously for exploitation: (1) the application must pass an attacker-controlled or otherwise invalid encoding value - specifically a non-string or a string containing a null byte - to Document#encoding= on a Nokogiri XML document; (2) the application must rescue the resulting Ruby exception rather than allowing it to propagate, terminate the operation, or replace the document; and (3) the application must subsequently call Document#encoding on the same, now-corrupted document object. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 score of 1.7 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L) is broadly accurate, with the AT:P (attack requirements: present) metric correctly capturing the non-default exploitation preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls input to a Ruby application that passes user-supplied data to Document#encoding= can submit a null-byte-containing string, causing the method to free the internal encoding pointer and raise a Ruby exception. If the application rescues this exception and continues using the same document object - for example, in an error-tolerant document processing pipeline - the next call to Document#encoding reads freed heap memory, either crashing the Ruby process or returning stale heap bytes as a string value. … |
| Remediation | Upgrade to Nokogiri 1.19.4 or later; this is the vendor-released patch (confirmed by GHSA-5v8h-3h3q-446p) and requires no changes to application-level public API usage. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub
Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever
Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev
NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application cod
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a seg
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39419