nokogiri is using libxml2 library which is vulnerable to the CVE-2016-9318. The vulnerability is only possible when applications using nokogiri 1.5.4 and later do not opt into the DTDLOAD
option and opt out of the NONET
option. The default setting in nokogiri does not use both DTD loading and network access, therefore it is not vulnerable by default.