CVE-2026-57435 in nokogiri
Summary
by MITRE • 06/25/2026
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability in Nokogiri versions prior to 1.19.4 represents a critical memory management flaw that affects the CRuby native extension's handling of XML attribute values. This issue stems from improper garbage collection behavior within the library's internal memory allocation mechanisms, creating a scenario where Ruby wrapper objects maintain references to memory that has already been freed. The vulnerability specifically impacts the Nokogiri::XML::Attr#value= method which is responsible for modifying attribute values in XML documents processed by the library.
The technical flaw manifests when an XML attribute's value is replaced through the value= method while other parts of Ruby code have previously accessed child nodes associated with that attribute. Under normal circumstances, this should not pose a problem, but due to the implementation defect, the native child node memory gets freed prematurely while Ruby wrapper objects remain reachable through the document node cache. This creates a dangling pointer scenario where the Ruby object references memory that is no longer valid for use. The vulnerability is particularly insidious because it can be triggered through seemingly innocuous operations that modify XML attribute values, making it difficult to detect during routine testing or code review processes.
The operational impact of this vulnerability extends beyond simple crashes to potentially enable more sophisticated exploitation techniques. When the freed memory is accessed by subsequent Ruby garbage collection cycles or when the invalid pointer is dereferenced during normal operation, it results in invalid read operations that can cause segmentation faults and application crashes. This behavior violates fundamental memory safety principles and can be exploited by attackers to achieve arbitrary code execution or denial of service conditions in applications that rely on Nokogiri for XML processing. The vulnerability affects any Ruby application using Nokogiri versions before 1.19.4 when performing attribute value modifications on XML documents, particularly in web applications that parse user-provided XML content.
The fix implemented in version 1.19.4 addresses this memory management issue by ensuring proper reference counting and cleanup procedures are followed when modifying XML attribute values. The patch corrects the timing of native memory deallocation to occur only after all Ruby wrapper objects referencing that memory have been properly released from the document node cache. This remediation aligns with established security practices for memory safety in interpreted languages, specifically addressing CWE-416 which covers use after free vulnerabilities. Organizations should prioritize updating to Nokogiri 1.19.4 or later versions as the patch resolves this critical issue without requiring code changes from application developers. The vulnerability demonstrates the importance of proper memory management in native extensions and highlights how seemingly simple operations can expose complex security risks in widely-used libraries that interface between high-level scripting languages and low-level memory management systems.
The vulnerability class falls under ATT&CK technique T1059.007 for execution through Ruby scripting and T1499.004 for application disruption through resource exhaustion or memory corruption. This flaw represents a classic example of how native extensions in interpreted languages can introduce security risks that are not apparent during normal development cycles, emphasizing the need for comprehensive testing of memory management behaviors in security-critical libraries. The issue underscores the importance of maintaining up-to-date dependencies and following security advisories from library maintainers to prevent exploitation of known vulnerabilities in production environments.