Incorrect Type Conversion or Cast Affecting nokogiri package, versions <1.19.4
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUBY-NOKOGIRI-17457905
- published25 Jun 2026
- disclosed24 Jun 2026
- creditZheng Yu
Introduced: 24 Jun 2026
New CVE NOT AVAILABLE CWE-704 (opens in a new tab)How to fix?
Upgrade nokogiri to version 1.19.4 or higher.
Overview
nokogiri is a gem for parsing HTML, XML, SAX, and Reader.
Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast in the protected initialize_copy_with_args copy helper behind Node#dup and #clone, which unwraps its source argument as an xmlNode without a type check. The process crashes on an out-of-bounds memory read when application code calls that method with a non-Node argument, such as a Namespace, whose memory is then read as an xmlNs. Triggering it requires the application itself to invoke the protected internal method with an incompatible type, so it is not reachable through the public API or by untrusted input.