CVE-2024-41946

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions REXML versions prior to 3.3.3

Description The issue is related to an uncontrolled resource consumption in the REXML XML toolkit for Ruby. When REXML parses an XML with many entity expansions using the SAX2 or pull parser API, it can lead to a denial of service. If untrusted XMLs are parsed with SAX2 or pull parser API, users may be impacted by this issue.

Recommendations For versions prior to 3.3.3, update to REXML gem 3.3.3 or later to fix the vulnerability. As a temporary workaround, avoid parsing untrusted XMLs with SAX2 or pull parser API until the issue is resolved.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2024:6670

ALSA-2024:6784

ALSA-2024:6785

ALSA-2025:4063

ALSA-2025:4488

ALSA-2025_4488

AZL-47331

AZL-47358

AZL-47370

AZL-47376

BDU:2024-07419

CESA-2024_6670

CESA-2024_6784

CESA-2025_4063

CVE-2024-41946

DLA-4018-1

DLA-4018-2

ECHO-3A4A-5767-3E7D

GHSA-5866-49GR-22V4

INFSA-2024_6670

INFSA-2024_6784

INFSA-2024_6785

INFSA-2025_4063

INFSA-2025_4488

MGASA-2025-0001

OESA-2024-2038

OPENSUSE-SU-2025:0129-1

RHSA-2024:6670

RHSA-2024:6702

RHSA-2024:6703

RHSA-2024:6784

RHSA-2024:6785

RHSA-2024_6670

RHSA-2024_6784

RHSA-2024_6785

RHSA-2025:4063

RHSA-2025:4488

RHSA-2025_4063

RHSA-2025_4488

RLSA-2024:6670

RLSA-2024:6784

RLSA-2024:6785

SUSE-SU-2024:3874-1

USN-7091-1

USN-7091-2

USN-7840-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Rexml

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2024-41946

Weakness Enumeration

Related Identifiers

Affected Products

References · 117