Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Requires JRuby runtime, attacker-supplied schema, and user interaction (AC:H, PR:L, UI:R); impact limited to SSRF/XXE data disclosure with no integrity or availability consequence.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
AnalysisAI
NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target Ruby application must be running on the JRuby implementation - CRuby deployments at any Nokogiri version are immune; (2) the application must use Nokogiri::XML::Schema to parse XML schemas, specifically with default parse options (NONET enabled); (3) the attacker must be able to supply or influence the schema content processed by the application, since the bypass is triggered by external resource references embedded in the schema itself; and (4) CVSS PR:L indicates some level of authenticated or low-privilege access is required, and UI:R indicates a user or process action must trigger the schema parse. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 2.6 (Low) is internally consistent with the vector AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, reflecting high attack complexity, a required low-privileged authenticated context, mandatory user interaction, and only limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious XML Schema document containing references to attacker-controlled external URLs using alternate-case scheme strings (exploiting the case-sensitive denylist bypass) and submits it to a JRuby-based Ruby application that uses Nokogiri::XML::Schema for schema validation with default parse options. The application's Nokogiri JRuby implementation issues an outbound HTTP request to the attacker's server despite NONET being set, enabling the attacker to map internal network topology via SSRF or extract data via XXE response channels. … |
| Remediation | Upgrade to Nokogiri 1.19.4 or later via gem update nokogiri or by updating the Gemfile pin; this is the only confirmed fix per the vendor advisory at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub
Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever
Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application cod
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a seg
Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39421