Skip to content

ReDoS vulnerability in REXML

Low
kou published GHSA-2rxp-v6pw-ch6m Oct 28, 2024

Package

No package listed

Affected versions

<3.3.9

Patched versions

3.3.9

Description

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This doesn not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

Severity

Low

CVE ID

CVE-2024-49761

Weaknesses

No CWEs