Nokogiri is vulnerable to XML external entity (XXE) attack. The vulnerability exist as the external DTDs are enabled by default in the XML parser, which would allow an attacker to submit requests on behalf of the server and gain access to internal and local resources.
github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
hackerone.com/reports/747489
lists.debian.org/debian-lts-announce/2021/06/msg00007.html
rubygems.org/gems/nokogiri