Impact
A flaw in Nokogiri’s JRuby implementation allows XML::Schema parsing to ignore the NONET option, enabling external network resources to be fetched during schema validation. This behavior can be leveraged for Server‑Side Request Forgery or XML External Entity attacks, exposing confidential data, modifying internal state, or disrupting application availability. The weakness corresponds to improper input validation and error handling (CWE-178, CWE-184, CWE-611).
Affected Systems
The impact applies to systems that include the Sparklemotion Nokogiri library for Ruby, specifically any versions before 1.19.4 that run under JRuby. The vulnerability is present in the analysis of XML schemas when the default NONET enforcement is bypassed.
Risk and Exploitability
The CVSS score of 2.6 indicates low overall severity, and the EPSS score is not available, suggesting limited known exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves a local or remote attacker that can supply a crafted XML schema to the application; the attacker need not exploit a transport channel because the flaw is exercised during local library calls. The default JRuby configuration fails to enforce NONET, so the application code itself must explicitly set or enforce the option for safe operation.
OpenCVE Enrichment