Skip to main content

Nokogiri CVE-2026-57434

| EUVDEUVD-2026-39424 LOW
NULL Pointer Dereference (CWE-476)
2026-06-25 GitHub_M
1.7
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AC:H reflects the specific developer anti-pattern prerequisite; A:L captures process-level crash only; no confidentiality or integrity impact applies.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 16:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 15:22 vuln.today
Analysis Generated
Jun 25, 2026 - 15:22 vuln.today

DescriptionCVE.org

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.

AnalysisAI

Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls .allocate directly on a native-backed class inheriting from Nokogiri::XML::Node and then invokes methods on the resulting uninitialized object. Only CRuby is affected - JRuby is explicitly not vulnerable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Developer writes code calling .allocate on native Nokogiri class
Delivery
Object allocated without C native pointer
Exploit
Method invoked on uninitialized object
Execution
NULL pointer dereference in C extension
Persist
Ruby process crashes
Impact
Application availability lost

Vulnerability AssessmentAI

Exploitation Exploitation requires application source code to explicitly call Ruby's `.allocate` method on a Nokogiri class that inherits from `Nokogiri::XML::Node` and then invoke any method on the resulting uninitialized instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low across all available signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Ruby application contains a code path where a developer has mistakenly called `.allocate` on a Nokogiri native-backed class - for instance, `Nokogiri::XML::Node.allocate` - and subsequently invokes a standard Nokogiri method on the resulting uninitialized object. This dereferences a NULL C pointer in the native extension, crashing the Ruby process and causing a denial of service for that application instance. …
Remediation Vendor-released patch: 1.19.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-29181 HIGH POC
8.2 May 20

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely

CVE-2019-5477 CRITICAL
9.8 Aug 16

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub

CVE-2022-23476 HIGH
7.5 Dec 08

Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this

CVE-2022-24836 HIGH
7.5 Apr 11

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2021-41098 HIGH
7.5 Sep 27

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever

CVE-2026-57235 MEDIUM
6.3 Jun 25

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l

CVE-2020-26247 MEDIUM
4.3 Dec 30

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev

CVE-2026-57234 LOW
2.6 Jun 25

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema

CVE-2026-57438 LOW
2.2 Jun 25

Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin

CVE-2026-57437 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh

CVE-2026-57436 LOW
1.7 Jun 25

Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application cod

CVE-2026-57435 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a seg

Share

CVE-2026-57434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy