RubySec

Providing security resources for the Ruby community

CVE-2024-49761 (rexml): REXML ReDoS vulnerability

ADVISORIES

GEM

rexml

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • >= 3.3.9

DESCRIPTION

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

  • https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
    • Announced on www.ruby-lang.org.

RELATED