CVE-2024-49761
HIGH severity · CVSS 7.5 · CWE-1333
7.5CVSS HIGH
Summary
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactNone
Integrity impactNone
Availability impactHigh
Exploit probability (EPSS)1%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f ↗
Additional information
- NVD record
- https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979fPatch
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761Advisory
- https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6mAdvisory
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20241227-0004/Advisory