Andrew Crewdson

**Name of the Vulnerable Software and Affected Versions** Nokogiri versions 1.12.4 and earlier **Description** Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. **Recommendations** For Nokogiri versions 1.12.4 and earlier, upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. As a temporary workaround, consider disabling the use of the SAX parser for untrusted documents until a patch is available. Restrict access to the vulnerable classes to minimize the risk of exploitation. Avoid using the affected classes to parse untrusted documents until the issue is resolved.