Skip to main content

Nokogiri CVE-2026-57435

| EUVDEUVD-2026-39426 LOW
Use After Free (CWE-416)
2026-06-25 GitHub_M
1.7
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AV:N retained because Nokogiri processes external input; AC:H reflects the unusual application-code pattern required; only low availability impact, no C or I consequence.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 16:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 15:22 vuln.today
Analysis Generated
Jun 25, 2026 - 15:22 vuln.today

DescriptionCVE.org

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.

AnalysisAI

Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via Attr#value= or #content=. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply crafted XML/HTML to target application
Delivery
Application accesses attribute child node via Attr#child
Exploit
Application calls Attr#value= on same attribute
Execution
Native C child node freed, Ruby wrapper retained in document cache
Persist
GC mark traversal or direct access dereferences freed pointer
Impact
Process segfault causes application crash

Vulnerability AssessmentAI

Exploitation Three specific conditions must all be true simultaneously: (1) the deployment uses the CRuby native extension - JRuby is not affected; (2) application code accesses an XML attribute's child node via `Attr#child` or a similar accessor, creating a Ruby wrapper retained in the document node cache; and (3) the same application code subsequently calls `Attr#value=` or `#content=` on that same attribute, triggering the native free. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U) yields a score of 1.7, accurately capturing that impact is limited to a potential availability disruption with zero confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application processing externally supplied XML that first reads an attribute's child node (e.g., `attr.child` to inspect text structure) and then replaces the attribute's value in the same code path triggers the freed-pointer condition. If the Ruby GC runs before the next use of the stale wrapper, the process segfaults, causing a denial-of-service crash. …
Remediation Upgrade to Nokogiri 1.19.4 or later - vendor-released patch confirmed at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-29181 HIGH POC
8.2 May 20

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely

CVE-2019-5477 CRITICAL
9.8 Aug 16

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub

CVE-2022-23476 HIGH
7.5 Dec 08

Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this

CVE-2022-24836 HIGH
7.5 Apr 11

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2021-41098 HIGH
7.5 Sep 27

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever

CVE-2026-57235 MEDIUM
6.3 Jun 25

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l

CVE-2020-26247 MEDIUM
4.3 Dec 30

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev

CVE-2026-57234 LOW
2.6 Jun 25

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema

CVE-2026-57438 LOW
2.2 Jun 25

Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin

CVE-2026-57437 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh

CVE-2026-57436 LOW
1.7 Jun 25

Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application cod

CVE-2026-57434 LOW
1.7 Jun 25

Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.

Share

CVE-2026-57435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy