Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rexml dependency #1040

Open
npetrackunit opened this issue Sep 26, 2024 · 4 comments
Open

Update rexml dependency #1040

npetrackunit opened this issue Sep 26, 2024 · 4 comments

Comments

@npetrackunit
Copy link

What do you want to happen?

There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-39908. We strongly recommend upgrading the REXML gem.

What happens now?

When it parses an XML that has many specific characters such as <, 0 and %>. REXML gem may take long time.

Please update REXML gem to version 3.3.2 or later.

Demo Code

_

Describe alternatives you've considered

None.

Additional context

Affected versions
REXML gem 3.3.2 or prior

@npetrackunit
Copy link
Author

Hey this is affecting the project I am working on since Starscream is a dependency for another package we need. If someone could take a look at this, that would be great! Thanks :)

@acmacalister @daltoniam

@andrii-bodnar
Copy link

Hi @acmacalister @daltoniam!

I'm Andrii from @crowdin, maintainer of the Crowdin iOS SDK - https://github.com/crowdin/mobile-sdk-ios.

This SDK depends on Starscream and we received the report about this vulnerability.

I was just wondering if it would be possible to fix it soon? We look forward to hearing from you and thank you in advance!

@andrii-bodnar
Copy link

andrii-bodnar commented Oct 10, 2024

It looks like there is already a pull request to fix this - #1026

UPD. It updates to the older version than we need.

@npetrackunit
Copy link
Author

Hi @acmacalister @daltoniam.

It has been over a month. If someone has seen this thread could you comment so I know someone is looking into fixing this?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants