Missing Release of Memory after Effective Lifetime Affecting nokogiri package, versions <1.19.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Release of Memory after Effective Lifetime vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUBY-NOKOGIRI-16438970
- published7 May 2026
- disclosed27 Apr 2026
- creditCaptainjack-kor
Introduced: 27 Apr 2026
New CVE NOT AVAILABLE CWE-401 (opens in a new tab)How to fix?
Upgrade nokogiri to version 1.19.3 or higher.
Overview
nokogiri is a gem for parsing HTML, XML, SAX, and Reader.
Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the XSLT::Stylesheet#transform function, when a string parameter containing a null byte is processed, preventing StringValueCStr from cleaning up the allocated array. An attacker can cause resource exhaustion by repeatedly supplying malicious input to long-running processes. The process needs to be sufficiently long-running that an accumulation of 24–32 bytes of heap memory at a time can have a substantial negative impact. This attack requirement is out of the attacker's control.