REXML Gem Vulnerable to ReDoS Attack
CVE-2024-49761

7.5HIGH

Key Information:

Vendor

Ruby

Status
Rexml
Vendor
CVE Published:
28 October 2024

What is CVE-2024-49761?

The REXML XML toolkit for Ruby has a ReDoS (Regular Expression Denial of Service) vulnerability present in versions prior to 3.3.9. This vulnerability is triggered when REXML processes XML inputs containing numerous digits positioned between '&#' and 'x...' within hex numeric character references (e.g., '&#x...;'). While later Ruby versions, specifically Ruby 3.2 and above, remain unaffected, Ruby 3.1 is identified as the only maintained version susceptible to this flaw. The REXML gem has addressed this security issue in version 3.3.9 and subsequent releases, making it crucial for developers utilizing earlier versions to upgrade promptly to mitigate potential risks.

Affected Version(s)

rexml < 3.3.9

References

https://github.com/ruby/rexml/security/advisories/GHSA-2r...
x_refsource_CONFIRM
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe164...
x_refsource_MISC
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.