{"id":"CVE-2020-26247","details":"Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.","aliases":["GHSA-vr8q-g5c7-m54m"],"modified":"2026-04-16T04:30:49.252417412Z","published":"2020-12-30T19:15:12.920Z","related":["GHSA-vr8q-g5c7-m54m","SUSE-SU-2021:0210-1","SUSE-SU-2021:0251-1","SUSE-SU-2021:2554-1","openSUSE-SU-2021:0237-1"],"references":[{"type":"ADVISORY","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"},{"type":"ADVISORY","url":"https://rubygems.org/gems/nokogiri"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-29"},{"type":"ADVISORY","url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4"},{"type":"REPORT","url":"https://hackerone.com/reports/747489"},{"type":"FIX","url":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sparklemotion/nokogiri","events":[{"introduced":"0"},{"fixed":"1c1fba5e34bf620d83e96fb9dcbd7393c05a03e5"},{"introduced":"0"},{"last_affected":"8ce75d120acfe6a04d3e2c158d48050286ad3816"},{"introduced":"0"},{"last_affected":"a762738960d16e3b57434b11595be0e3dd73cd1e"},{"introduced":"0"},{"last_affected":"959db1d8a6d6afaaa5e2cef554492e367f1791ff"},{"fixed":"9c87439d9afa14a365ff13e73adc809cb2c3d97b"},{"fixed":"f7bc31f8c246c3d6db1cd2b7feee2041630b0778"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.0"},{"introduced":"0"},{"last_affected":"1.11.0-rc1"},{"introduced":"0"},{"last_affected":"1.11.0-rc2"},{"introduced":"0"},{"last_affected":"1.11.0-rc3"}]}}],"versions":["1.7.0.1-linux-binary1","REL_1.0.0","REL_1.0.1","REL_1.0.2","REL_1.0.3","REL_1.0.4","REL_1.0.5","REL_1.0.6","REL_1.0.7","REL_1.5.0.beta.1","REL_1.5.0.beta.2","v1.10.0","v1.10.0.rc1","v1.10.1","v1.10.2","v1.10.3","v1.11.0.rc1","v1.11.0.rc2","v1.11.0.rc3","v1.11.0.rc4","v1.5.0","v1.5.0.beta.3","v1.5.0.beta.4","v1.5.1","v1.5.1.rc1","v1.5.2","v1.5.3","v1.5.3.rc1","v1.5.3.rc3","v1.5.3.rc4","v1.5.3.rc5","v1.5.3.rc6","v1.5.4.rc1","v1.5.4.rc2","v1.5.4.rc3","v1.5.5.rc1","v1.5.5.rc2","v1.5.6","v1.5.6.rc2","v1.5.7","v1.5.7.rc1","v1.5.7.rc2","v1.5.7.rc3","v1.5.8","v1.5.9","v1.6.0","v1.6.0.rc1","v1.6.2","v1.6.2.1","v1.6.2.beta.1","v1.6.2.rc1","v1.6.2.rc3","v1.6.3","v1.6.3.1","v1.6.3.rc1","v1.6.3.rc2","v1.6.3.rc3","v1.6.4","v1.6.5","v1.6.6","v1.6.6.1","v1.6.6.2","v1.6.7.rc1","v1.6.7.rc2","v1.6.7.rc3","v1.6.7.rc4","v1.6.8","v1.6.8.rc1","v1.6.8.rc2","v1.6.8.rc3","v1.7.0","v1.7.0.1","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.9.0","v1.9.0.rc1","v1.9.1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T11:23:26Z","vanir_signatures":[{"digest":{"line_hashes":["16129296325024307753584729971216115171","195253977861445400880545819685849286995","234641203445567770710194267598556873510","93454226303575813895728979775204002184","320623070487055999221258629894772676744","219862703534989535185923216080360078435","112080578547013292196838592699458036397","25210919650267855240289481430267046667","311574204152573001090045375559569945245","129718661893605621251598893703741626467","212510173097211613924033432339443995466","22243939135539515148190768719738278106","330253986602462041404647576948553452485","285842214180739133696563041886643213351","251656747183935732469118221853540056837","327715987815117534958186218152502493812","230615113216499342109539943877644549766","141419580842762453443895337928153792707","310741295053459094876716208902256531165","84315579863441221986993447331642079835","19656201694574745185137580246445889980","121698540467984208428625608629657429079","205510213628273060472187358186122845099","4572574395694206270477621884668240651","161237322459015512531557456285040964274","10877439329876273809149158542073357952","327875998995604504209160989012627692240","330253986602462041404647576948553452485","285842214180739133696563041886643213351","251656747183935732469118221853540056837","4397904576664470264547697413284932086","179077504760930219978786834013719739900","98123204464514570210478394303085182658","301682279023959772635377483388779805325","84142686720252447221210329669783966386"],"threshold":0.9},"id":"CVE-2020-26247-1086b743","signature_type":"Line","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","target":{"file":"ext/nokogiri/xml_relax_ng.c"}},{"digest":{"function_hash":"219890053045773288413438907544483592904","length":369},"target":{"function":"getSchema","file":"ext/java/nokogiri/XmlSchema.java"},"signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","id":"CVE-2020-26247-2914ce50"},{"digest":{"line_hashes":["284109293209010179600288157504224704753","317534956635952457798072278053107250659","183140225820409356715355793987278274563","47332260591008491147365715575388541965","236964573616533475382333565210974418422","93496642269226571639003635625893026788","27038234486702696420691399556436137365","230655219684642834238569368740461148646","203681836539033221932035891023540784745","297503036295038120245384402482044110075","298576485561926522671672553121283502442"],"threshold":0.9},"id":"CVE-2020-26247-2a7b9317","signature_type":"Line","signature_version":"v1","source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","deprecated":false,"target":{"file":"ext/java/nokogiri/XmlRelaxng.java"}},{"digest":{"function_hash":"9661515642441603369072603515252723382","length":720},"id":"CVE-2020-26247-4952ba37","signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","target":{"function":"read_memory","file":"ext/nokogiri/xml_schema.c"}},{"digest":{"function_hash":"39153933559615413504428734559142695356","length":906},"id":"CVE-2020-26247-a4f0f1ad","signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","target":{"function":"from_document","file":"ext/nokogiri/xml_schema.c"}},{"digest":{"function_hash":"333683911630746199756708849538491302527","length":736},"target":{"function":"from_document","file":"ext/nokogiri/xml_relax_ng.c"},"signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","id":"CVE-2020-26247-a7029d53"},{"digest":{"line_hashes":["18368975417469464455862565725833633117","309767481340271058151290069613147460671","98745279010625720811482770789622897719","299162640867332122330361054992335114660","107905164198225427569024808058081181826","106662402031143017515461938960561067732","300434304369549138135673206475278804091","86427542845665156800975900431641495384","228149875155748926044860815901149901763","316611442836047098391368969960763510046","102311322235016132575625285576627684409","33543768097933111516812503182188757947","34466835567363195094654007736164913647","95578736202121547381226148454273687455","311264631618587098963782203185141521443","138592689909582525329315992232035465568","247267543660418154986770796049467716218","26978704467550789828283771393368008629","76908921169803025605259058453933354805","309680079967299686170303324588732199031","322280999268818191130779300657341305389","140940071266160965160149902758419816573","32519633659955138974605276992658685340","146626668676877096900399530126063968617","224095978744665830001040308389523812276","304707949602963848370757399268143938025","267143547219070203930725164196472070220","72778127015119500542079173824787824003","320121378405579455791777477251477905312","239649512450106049275777683895821171879","153922857170803326464756578414932747019"],"threshold":0.9},"target":{"file":"ext/java/nokogiri/XmlSchema.java"},"signature_type":"Line","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","id":"CVE-2020-26247-aacd9cb6"},{"digest":{"function_hash":"117965742480207517228833462108399685431","length":721},"target":{"function":"read_memory","file":"ext/nokogiri/xml_relax_ng.c"},"signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","id":"CVE-2020-26247-b7a35816"},{"digest":{"function_hash":"223075275764046106416786741881055081456","length":649},"id":"CVE-2020-26247-bd9c9e93","signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","target":{"function":"createSchemaInstance","file":"ext/java/nokogiri/XmlSchema.java"}},{"digest":{"function_hash":"55369905720923703898960383428349986875","length":413},"target":{"function":"init_xml_schema","file":"ext/nokogiri/xml_schema.c"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","deprecated":false,"id":"CVE-2020-26247-bf1a9ac9"},{"digest":{"function_hash":"5786619012056855424931940457734128357","length":503},"id":"CVE-2020-26247-d43b961b","signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","target":{"function":"from_document","file":"ext/java/nokogiri/XmlSchema.java"}},{"digest":{"function_hash":"178420493317479619596962782960376001712","length":366},"id":"CVE-2020-26247-da6b2d19","signature_type":"Function","signature_version":"v1","source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","deprecated":false,"target":{"function":"init_xml_relax_ng","file":"ext/nokogiri/xml_relax_ng.c"}},{"digest":{"function_hash":"70547010719699758318416237910510805399","length":198},"id":"CVE-2020-26247-dc31f83e","signature_type":"Function","deprecated":false,"source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","signature_version":"v1","target":{"function":"read_memory","file":"ext/java/nokogiri/XmlSchema.java"}},{"digest":{"line_hashes":["245036895791005918807540661154801744961","195253977861445400880545819685849286995","118691521782342627629919004264250277183","77836772905366762065593603267093444043","39684999300440156384979930077330717470","31433595251204166851639508193626122711","273424029110672348211045194946226707125","132995128983553400275729179270523361827","317403214207430172431851066618457880526","117833701499500858658336364681936419433","18577471886351549381254556569181691104","322851332635404903317113186642557374902","292013088696730575603747281532282359517","196732966080469569938486972139353088925","20582180580341939167055705876350667248","234165010474578995123160478493978904626","330253986602462041404647576948553452485","285842214180739133696563041886643213351","251656747183935732469118221853540056837","217621481900430820559730602175616889241","257190738122731512697296301533733939029","320026612391941053349667203696799852482","141419580842762453443895337928153792707","278535449158355236089308499027972708573","333035305826783399465818915243033941738","117697633259868205941634674907483038761","137042107976109139833035234253767044701","323200872687005788464717158440586828895","4572574395694206270477621884668240651","225481876307343704326901068217414566347","86635287901658810046397424354547918902","79281886800332977751996000076586877399","330253986602462041404647576948553452485","285842214180739133696563041886643213351","253333691218305700242059713895777393061","34277546824259342123382005994815457060","263240520538459396582460579562518667845","88747279844484007946530569957151229857","263228372222442742144199980814215902355","211316759360533367954227915687484315990","183556972803462742405142005098529480797"],"threshold":0.9},"target":{"file":"ext/nokogiri/xml_schema.c"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","deprecated":false,"id":"CVE-2020-26247-e2c7b7dd"},{"digest":{"function_hash":"245022092763465965443630047219394908629","length":489},"id":"CVE-2020-26247-e2d1577f","signature_type":"Function","signature_version":"v1","source":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","deprecated":false,"target":{"function":"createSchemaInstance","file":"ext/java/nokogiri/XmlRelaxng.java"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26247.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}