2492934 – (CVE-2026-57234) CVE-2026-57234 nokogiri: Nokogiri: Server-Side Request Forgery (SSRF) and XML External Entity (XXE) via improper enforcement of NONET parse option

Bug 2492934 (CVE-2026-57234) - CVE-2026-57234 nokogiri: Nokogiri: Server-Side Request Forgery (SSRF) and XML External Entity (XXE) via improper enforcement of NONET parse option

Summary: CVE-2026-57234 nokogiri: Nokogiri: Server-Side Request Forgery (SSRF) and XML...

Keywords:
Status:	NEW
Alias:	CVE-2026-57234
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-25 15:01 UTC by OSIDB Bzimport
Modified:	2026-06-26 21:26 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-25 15:01:50 UTC

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

Note You need to log in before you can comment on or make changes to this bug.

akostadi
amasferr
anthomas
crizzo
dmayorov
ehelms
eshamard
ggainey
jlledo
jpasqual
juwatts
jvasik
kaycoth
mhulan
nmoumoul
osousa
pantinor
pcreech
rblanco
rchan
rhel-process-autobot
smallamp
tmalecek
tsedmik
watson-tool-maintainers