PT-2024-6382 · Rexml+11 · Rexml+11

Lowkou

·

Published

2024-08-22

·

Updated

2025-11-03

·

CVE-2024-43398

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions REXML versions prior to 3.3.6
Description The REXML gem has a DoS vulnerability when it parses an XML that has many deep elements that have the same local name attributes. This issue affects users who need to parse untrusted XMLs with the tree parser API, such as REXML::Document.new. However, users of other parser APIs like stream parser API and SAX2 parser API are not affected.
Recommendations For versions prior to 3.3.6, update to REXML gem 3.3.6 or later to fix the vulnerability. As a temporary workaround, consider not parsing untrusted XMLs with the tree parser API until a patch is available.

Exploit

Fix

DoS

XML Entity Expansion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-776

Related Identifiers

ALSA-2024:6670
ALSA-2024:6784
ALSA-2024:6785
ALSA-2025:4063
ALSA-2025:4488
ALSA-2025_4488
AZL-48150
AZL-48154
AZL-48156
AZL-48162
BDU:2024-07430
CESA-2024_6670
CESA-2024_6784
CESA-2025_4063
CVE-2024-43398
DLA-4018-1
DLA-4018-2
ECHO-B3F2-B180-CAC9
GHSA-VMWR-MC7X-5VC3
INFSA-2024_6670
INFSA-2024_6784
INFSA-2024_6785
INFSA-2025_4063
INFSA-2025_4488
MGASA-2025-0001
OESA-2024-2114
OPENSUSE-SU-2025:0129-1
RHSA-2024:6670
RHSA-2024:6702
RHSA-2024:6703
RHSA-2024:6784
RHSA-2024:6785
RHSA-2024_6670
RHSA-2024_6784
RHSA-2024_6785
RHSA-2025:4063
RHSA-2025:4488
RHSA-2025_4063
RHSA-2025_4488
RLSA-2024:6670
RLSA-2024:6784
RLSA-2024:6785
SUSE-SU-2024:3874-1
USN-7256-1
USN-7256-2
USN-7418-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Linuxmint
Apple Macos
Rexml
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu