CVE-2026-57234

NameCVE-2026-57234
DescriptionNokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140769

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-nokogiri (PTS)bullseye1.11.1+dfsg-2fixed
bullseye (security)1.11.1+dfsg-2+deb11u1fixed
bookworm1.13.10+dfsg-2fixed
trixie1.18.2+dfsg-1vulnerable
forky, sid1.19.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-nokogirisourcebullseye(not affected)
ruby-nokogirisourcebookworm(not affected)
ruby-nokogirisource(unstable)1.19.4+dfsg-11140769

Notes

[trixie] - ruby-nokogiri <no-dsa> (Minor issue)
[bookworm] - ruby-nokogiri <not-affected> (JRuby-only; Debian builds/uses the CRuby implementation)
[bullseye] - ruby-nokogiri <not-affected> (JRuby-only; Debian builds/uses the CRuby implementation)
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2

Search for package or bug name: Reporting problems