CVE-2021-41098

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.42%
Third-Party Advisory github.com Third-Party Advisory github.com
Affected: sparklemotion nokogiri
Published at:
Updated at:

References

Link Tags
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h third party advisory
https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-41098?
CVE-2021-41098 has been scored as a high severity vulnerability.
How to fix CVE-2021-41098?
To fix CVE-2021-41098, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-41098 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-41098 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-41098?
CVE-2021-41098 affects sparklemotion nokogiri.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.