REXML Gem Vulnerable to ReDoS Attack
CVE-2024-49761

6.6MEDIUM

Key Information:

Vendor

Ruby

Status
Rexml
Vendor
CVE Published:
28 October 2024

What is CVE-2024-49761?

The REXML XML toolkit for Ruby has a ReDoS (Regular Expression Denial of Service) vulnerability present in versions prior to 3.3.9. This vulnerability is triggered when REXML processes XML inputs containing numerous digits positioned between '&#' and 'x...' within hex numeric character references (e.g., '&#x...;'). While later Ruby versions, specifically Ruby 3.2 and above, remain unaffected, Ruby 3.1 is identified as the only maintained version susceptible to this flaw. The REXML gem has addressed this security issue in version 3.3.9 and subsequent releases, making it crucial for developers utilizing earlier versions to upgrade promptly to mitigate potential risks.

Affected Version(s)

rexml < 3.3.9

References

https://github.com/ruby/rexml/security/advisories/GHSA-2r...
x_refsource_CONFIRM
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe164...
x_refsource_MISC
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-49761 : REXML Gem Vulnerable to ReDoS Attack