Memory Management Vulnerability in Nokogiri Library for Ruby
CVE-2026-57437

1.7LOW

Key Information:

Vendor: Sparklemotion
Status: Nokogiri
Vendor: CVE Published:; 25 June 2026

🔔 Create Sparklemotion Vulnerability Alert

What is CVE-2026-57437?

Nokogiri, an open-source XML and HTML library for Ruby, has a vulnerability related to memory management in versions prior to 1.19.4. Specifically, the Nokogiri::XML::XPathContext class fails to maintain the source document in memory, which can result in the evaluation of XPath expressions operating on invalid memory once the source document is garbage collected. This scenario typically arises when applications manually create an XPathContext and allow the associated document to become unreachable while still using the context. This vulnerability does not affect standard methods like Document#xpath and #css, and it cannot be triggered by malicious document inputs.

Affected Version(s)

nokogiri < 1.19.4

References

https://github.com/sparklemotion/nokogiri/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57437 Data

JSON