CVE Catalog

CVE-2026-57437

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile — higher than 25% of all known CVEs

Summary

Vulnerability in the Nokogiri library for Ruby (versions prior to 1.19.4) causes Nokogiri::XML::XPathContext to not keep its source document alive for garbage collection. If an XPathContext outlives its document and the document is collected, evaluating an XPath expression could read invalid memory and potentially segfault.

Risk Assessment

Risk only applies to applications that manually construct an XPathContext and let the document become unreachable while continuing to use the context. This can lead to process crashes (segfault) and potential service disruption.

Recommendation

Update Nokogiri to version 1.19.4 or later. Standard Document#xpath, #css, and related search methods are not affected, so the change only applies to custom XPathContext usage.

Original NVD description (English source)

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS