CVE-2026-57234
Awaiting Analysis Awaiting Analysis - Queue
XML External Entity Injection in Nokogiri

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57234
EUVD
EUVD-2026-39421
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (inc)
sparklemotion nokogiri to 1.19.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-57234 vulnerability affects the Nokogiri library, specifically its XML::Schema implementation on JRuby. The issue involves the NONET parse option, which is intended to prevent network requests during schema parsing but was not properly enforced on JRuby. This flaw allowed external resources to be fetched over the network despite the NONET setting, potentially enabling Server-Side Request Forgery (SSRF) or XML External Entity (XXE) attacks.

The vulnerability bypasses a previous fix (CVE-2020-26247) that addressed a similar issue in CRuby but not JRuby. The fix in Nokogiri 1.19.4 replaces the scheme denylist with an allowlist, ensuring only local resources are resolved when NONET is enabled, aligning JRuby's behavior with CRuby.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause your application to fetch external resources over the network when parsing XML schemas, even if the NONET option is enabled. This can lead to Server-Side Request Forgery (SSRF) or XML External Entity (XXE) attacks.

Such attacks could be used to access internal systems, leak sensitive information, or cause denial of service. However, the severity is rated as low (CVSS 2.6) because exploitation requires specific conditions such as untrusted input and user interaction.

Users are advised to upgrade to Nokogiri 1.19.4 or later to mitigate this risk.

Detection Guidance

This vulnerability involves Nokogiri's XML::Schema implementation on JRuby improperly enforcing the NONET parse option, allowing external network requests during schema parsing. Detection would involve monitoring for unexpected outbound network requests initiated by Nokogiri processes, especially during XML schema parsing.

Since the issue is specific to JRuby and Nokogiri versions prior to 1.19.4, you can check the Nokogiri version in your environment to identify if you are vulnerable.

  • Check Nokogiri version: `gem list nokogiri` or within JRuby environment `jruby -S gem list nokogiri`
  • Monitor network traffic for unexpected outbound connections from JRuby processes, for example using `tcpdump` or `netstat`:
  • `sudo tcpdump -i any host <suspicious_external_resource>`
  • `netstat -plant | grep jruby` to identify active network connections from JRuby

Additionally, review application logs for XML schema parsing operations that might be triggering external resource fetches.

Mitigation Strategies

The primary mitigation step is to upgrade Nokogiri to version 1.19.4 or later, where the vulnerability is fixed by properly enforcing the NONET parse option on JRuby.

If upgrading immediately is not possible, ensure that the NONET option is enabled explicitly when parsing XML schemas to prevent network access, although prior versions may not enforce this correctly on JRuby.

Avoid processing untrusted XML input or schemas that could trigger external network requests.

If network access is necessary for trusted input, the NONET option can be disabled explicitly, but this is not recommended for untrusted data.

Compliance Impact

The vulnerability in Nokogiri's XML::Schema implementation on JRuby could potentially enable SSRF or XXE attacks by allowing external resources to be fetched during schema parsing. Such attacks can lead to unauthorized access to internal resources or data exfiltration.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable SSRF or XXE attacks can pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could impact compliance by exposing sensitive data or systems to unauthorized access, potentially violating data protection requirements under regulations such as GDPR or HIPAA.

Upgrading to Nokogiri 1.19.4 or later, which fixes the issue, is recommended to mitigate these risks and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart