CVE-2025-58767 (rexml): REXML has DoS condition when parsing malformed XML file

ADVISORIES

CVE-2025-58767 (NVD)
GHSA-c2f4-jgmc-q2r5
Vendor Advisory

GEM

rexml

UNAFFECTED VERSIONS

< 3.3.3

PATCHED VERSIONS

>= 3.4.2

DESCRIPTION

Impact

The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767
- An announcement on www.ruby-lang.org

https://nvd.nist.gov/vuln/detail/CVE-2025-58767
https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767
https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5
https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23
https://github.com/advisories/GHSA-c2f4-jgmc-q2r5

RubySec