CVE-2026-57437
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Nokogiri Ruby XML Library

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57437
EUVD
EUVD-2026-39428
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (inc)
sparklemotion nokogiri 1.19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in Nokogiri's Nokogiri::XML::XPathContext. It occurs when an XPathContext object outlives its source XML document, and the document is garbage collected while the XPathContext is still in use. Evaluating an XPath expression in this state can cause the program to read invalid memory and potentially crash with a segmentation fault.

This problem only arises if application code directly constructs an XPathContext and allows the source document to become unreachable while continuing to use the XPathContext. Normal Nokogiri document search methods like Document#xpath or #css are not affected.

The vulnerability is fixed in Nokogiri version 1.19.4 by ensuring the XPathContext keeps its source document alive as long as the context exists.

Impact Analysis

If your application uses Nokogiri and directly constructs XPathContext objects without keeping the source document referenced, this vulnerability could cause your application to crash unexpectedly due to segmentation faults.

However, the impact is limited because this requires an unusual usage pattern not common in normal operations, and normal Nokogiri search methods are not affected.

To avoid this impact, you should upgrade to Nokogiri version 1.19.4 or later, or ensure that the source document remains referenced while any XPathContext derived from it is in use.

Detection Guidance

This vulnerability occurs only when application code directly constructs a Nokogiri::XML::XPathContext and allows its source document to be garbage collected while the context is still in use. It is not triggered by normal document search methods or malicious input.

Detection would involve reviewing your Ruby application code to identify any direct usage of Nokogiri::XML::XPathContext where the source document might become unreachable before the context is discarded.

There are no specific network or system commands provided to detect this vulnerability automatically.

A practical approach is to check the Nokogiri version installed on your system using the following Ruby command:

  • ruby -rnokogiri -e 'puts Nokogiri::VERSION'

If the version is earlier than 1.19.4, your application may be vulnerable if it uses the affected API pattern.

Mitigation Strategies

The primary mitigation is to upgrade Nokogiri to version 1.19.4 or later, where the vulnerability is fixed by ensuring the XPathContext keeps its source document alive.

Alternatively, if upgrading is not immediately possible, ensure that your application code maintains a reference to the source document for as long as any XPathContext derived from it is in use, preventing the document from being garbage collected prematurely.

Since this vulnerability requires an unusual API usage pattern, reviewing and modifying the code to avoid constructing XPathContext directly or to manage document lifetimes properly can also mitigate the risk.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart