CVE-2026-57437 | Nokogiri is an open source XML and HTML library for the Ruby… | CVSS 1.7 LOW

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.

Metadata

CVE ID: CVE-2026-57437
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-24 13:21 UTC
Published: 2026-06-25 14:34 UTC
Last updated: 2026-06-25 15:00 UTC
Primary CWE: CWE-416
CWE-416: Use After Free
Vendor / Product: sparklemotion / nokogiri
Sources: cve.org · NVD

Severity & Metrics

1.7 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
sparklemotion	nokogiri	—	< 1.19.4

Weakness (CWE)

CWE	Source	Description
CWE-416	cna	CWE-416: Use After Free

CVSS scores (1)

Score	Severity	Version	Source	Vector
1.7	LOW	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

References (1)

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7