Nokogiri: XML::Schema on JRuby allows network requests when NONET is...

2.6 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

Basic Information

ID CVE-2026-57234

Source GitHub_M

Published Jun 25, 2026 at 14:30

Modified Jun 25, 2026 at 15:05

Affected Product

Vendor sparklemotion

Product nokogiri

Version < 1.19.4

Affected Versions sparklemotion nokogiri < 1.19.4

CWE Classification

CWE-178 CWE-184 CWE-611

References

github.com /sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2

{
    "lastseen": "",
    "description": "Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.",
    "published": "2026-06-25T14:30:20.478Z",
    "modified": "2026-06-25T15:05:42.484Z",
    "type": "cve",
    "title": "Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247",
    "source": "GitHub_M",
    "references": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2",
    "id": "CVE-2026-57234",
    "bulletinFamily": "",
    "cwe": [
        "CWE-178",
        "CWE-184",
        "CWE-611"
    ],
    "cvelist": null,
    "sourceData": "sparklemotion nokogiri < 1.19.4",
    "sourceHref": "",
    "cvss": {
        "score": 2.6,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nokogiri",
    "version": "< 1.19.4",
    "vendor": "sparklemotion",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247_CVE-2026-57234