CVE-2012-6685

CVE-2012-6685 describes an XML eXternal Entity (XXE) vulnerability in Nokogiri, a Ruby gem for parsing XML and HTML documents. Versions prior to 1.5.4 did not properly disable external entity processing, allowing attackers to supply malicious XML that references external resources. The root cause is the lack of a secure default configuration to prevent XXE attacks during XML parsing [1] [3].

Exploitation

An attacker can exploit this flaw by crafting an XML document that includes external entity definitions pointing to local files or remote URLs. When a vulnerable version of Nokogiri parses this input, it will attempt to load the specified entity, potentially reading sensitive files from the server's filesystem or making outbound connections to arbitrary hosts. No authentication is required if the application exposes a parser endpoint to unauthenticated users [3].

Impact

Successful exploitation can lead to information disclosure (e.g., reading /etc/passwd) or server-side request forgery (SSRF) by forcing the server to issue requests to internal or external hosts. The initial fix in Nokogiri 1.5.4 introduced a nonet option to disable network connections, but this did not prevent access to local file URLs; only the upgrade to libxml2 2.9.0 in Nokogiri 1.6.4 fully resolved the issue [3] [4].

Mitigation

Users should upgrade to Nokogiri 1.6.4 or later, which uses libxml2 >= 2.9.0 that securely disables external entity expansion by default. For systems where an immediate upgrade is not feasible, the application can be hardened by setting the nonet option to true and explicitly overriding default parser settings to disallow DTD loading, though this workaround may not fully protect against local file inclusion [3].