7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2021-41098

GHSA ID

GHSA-2rr5-8q37-2w7h

EPSS Score

0.71883%

CWE

CWE-611

Published

9/27/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41098

CVE-2021-41098: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

Nokogiri::XML::SAX::Parser
Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
Nokogiri::XML::SAX::PushParser
Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2021-41098

GHSA ID

GHSA-2rr5-8q37-2w7h

EPSS Score

0.71883%

CWE

CWE-611

Published

9/27/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nokogiri	rubygems	<= 1.12.4	1.12.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from SAX parsers resolving external entities by default on JRuby. The key fix in the commit adds NokogiriEntityResolver to XML SAX parsers (visible in XmlSaxParserContext.java's parse_with method). The absence of this resolver in vulnerable versions allowed XXE. The NokogiriHandler changes show error handling improvements related to entity resolution errors, indicating it was involved in the vulnerable flow. The high confidence for parse_with comes from direct security control (entity resolver) being missing, while medium confidence for NokogiriHandler reflects its secondary role in error handling during entity resolution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### S*v*rity T** Noko*iri m*int*in*rs **v* *v*lu*t** t*is *s [***i** S*v*rity** *.* (*VSS*.*)](*ttps://www.*irst.or*/*vss/**l*ul*tor/*.*#*VSS:*.*/*V:N/**:L/PR:N/UI:N/S:U/*:*/I:N/*:N/*:*/RL:O/R*:*/M*V:N/M**:L) *or JRu*y us*rs. (T*is s**urity **visory

Reasoning

T** vuln*r**ility st*mm** *rom S*X p*rs*rs r*solvin* *xt*rn*l *ntiti*s *y ****ult on JRu*y. T** k*y *ix in t** *ommit ***s Noko*iri*ntityR*solv*r to XML S*X p*rs*rs (visi*l* in XmlS*xP*rs*r*ont*xt.j*v*'s p*rs*_wit* m*t*o*). T** **s*n** o* t*is r*solv

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-41098: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

Impact

Mitigation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI