Versions of Nokogiri prior to 1.11.0 have a vulnerability.
Vulnerable versions: <= 1.10.10
Patched version: 1.11.0.rc4
Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).
Description
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.
This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".
Affected Versions
Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3
Nokogiri has since released 1.11.0 officially, so the .rc4 suffix shouldn't be needed.
ksuther
commented
3 years ago
Versions of Nokogiri prior to 1.11.0 have a vulnerability.
Nokogiri has since released 1.11.0 officially, so the
.rc4suffix shouldn't be needed.