Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries it depends on. When handling the expansion of XML external entities (XXE) in libxml2, you can specify documents to be read. Opting into the DTDLOAD option and opting out of the NONET option in Nokogiri allows unknown documents to be loaded from the network. This can be used by attackers to load specially crafted XML documents on an internal XML parsing service and may lead to unauthorized disclosure of potentially sensitive information.
Note: This vulnerability exists also in versions < 1.5.4 regardless of the options opted into or out of. See information here
Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries it depends on. When handling the expansion of XML external entities (XXE) in libxml2, you can specify documents to be read. Opting into the DTDLOAD option and opting out of the NONET option in Nokogiri allows unknown documents to be loaded from the network. This can be used by attackers to load specially crafted XML documents on an internal XML parsing service and may lead to unauthorized disclosure of potentially sensitive information.
Note: This vulnerability exists also in versions < 1.5.4 regardless of the options opted into or out of. See information here