Search for vulnerabilities
Vulnerability details: VCID-f5ku-zjud-g3gw
Vulnerability ID VCID-f5ku-zjud-g3gw
Aliases CVE-2020-26247
GHSA-vr8q-g5c7-m54m
Summary Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability ### Description In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as **untrusted** by default whenever possible. Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity". ### Affected Versions Nokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3` ### Mitigation There are no known workarounds for affected versions. Upgrade to Nokogiri `1.11.0.rc4` or later. If, after upgrading to `1.11.0.rc4` or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior): 1. Ensure the input is trusted. Do not enable this option for untrusted input. 2. When invoking the `Nokogiri::XML::Schema` constructor, pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off. So if your previous code was: ``` ruby # in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network # but in v1.11.0.rc4 and later, this call will disallow network access for external resources schema = Nokogiri::XML::Schema.new(schema) # in v1.11.0.rc4 and later, the following is equivalent to the code above # (the second parameter is optional, and this demonstrates its default value) schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA) ``` Then you can add the second parameter to indicate that the input is trusted by changing it to: ``` ruby # in v1.11.0.rc3 and earlier, this would raise an ArgumentError # but in v1.11.0.rc4 and later, this allows resources to be accessed over the network schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet) ```
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-611 Improper Restriction of XML External Entity Reference
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json
epss 0.01141 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01141 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01141 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01141 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01224 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01224 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
epss 0.01242 https://api.first.org/data/v1/epss?cve=CVE-2020-26247
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vr8q-g5c7-m54m
cvssv3.1 4.3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
cvssv3.1 4.3 https://github.com/sparklemotion/nokogiri
generic_textual MODERATE https://github.com/sparklemotion/nokogiri
cvssv3.1 4.3 https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
cvssv3.1 4.3 https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
cvssv3.1 4.3 https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
cvssv3 2.6 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
cvssv3.1 4.3 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
cvssv3.1_qr MODERATE https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
cvssv3.1 4.3 https://hackerone.com/reports/747489
generic_textual MODERATE https://hackerone.com/reports/747489
cvssv3.1 4.3 https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
cvssv3.1 4.3 https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
cvssv2 4.0 https://nvd.nist.gov/vuln/detail/CVE-2020-26247
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2020-26247
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-26247
cvssv3.1 4.3 https://rubygems.org/gems/nokogiri
generic_textual MODERATE https://rubygems.org/gems/nokogiri
cvssv3.1 4.3 https://security.gentoo.org/glsa/202208-29
generic_textual MODERATE https://security.gentoo.org/glsa/202208-29
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json
https://api.first.org/data/v1/epss?cve=CVE-2020-26247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
https://github.com/sparklemotion/nokogiri
https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://hackerone.com/reports/747489
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
https://nvd.nist.gov/vuln/detail/CVE-2020-26247
https://rubygems.org/gems/nokogiri
https://security.gentoo.org/glsa/202208-29
1912487 https://bugzilla.redhat.com/show_bug.cgi?id=1912487
978967 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967
cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc1:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc1:*:*:*:ruby:*:*
cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc2:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc2:*:*:*:ruby:*:*
cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc3:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc3:*:*:*:ruby:*:*
cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
GHSA-vr8q-g5c7-m54m https://github.com/advisories/GHSA-vr8q-g5c7-m54m
RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
RHSA-2021:5191 https://access.redhat.com/errata/RHSA-2021:5191
USN-7659-1 https://usn.ubuntu.com/7659-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/sparklemotion/nokogiri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://hackerone.com/reports/747489
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26247
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26247
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://rubygems.org/gems/nokogiri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://security.gentoo.org/glsa/202208-29
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.77501
EPSS Score 0.01141
Published At Aug. 12, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:56.182792+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml 37.0.0