PT-2024-7269 · Ruby+11 · Rexml+11

Mprogrammer

·

Published

2024-05-16

·

Updated

2025-10-27

·

CVE-2024-39908

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions: REXML versions prior to 3.3.1 REXML versions prior to 3.2.7
Description: The issue is related to denial-of-service vulnerabilities in the REXML gem for Ruby. When parsing XML with many specific characters, such as <, 0, and %>, the gem may be impacted. Users who need to parse untrusted XMLs may be affected by these vulnerabilities.
Recommendations: For REXML versions prior to 3.3.1, upgrade to version 3.3.2 or later to fix the vulnerabilities. For REXML versions prior to 3.2.7, upgrade to version 3.2.7 or later to fix the vulnerability. As a temporary workaround, consider avoiding the parsing of untrusted XML strings until a patch is available.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2024:6784
ALSA-2024:6785
ALSA-2024_6784
ALSA-2024_6785
ALSA-2025:4063
ALSA-2025:4488
ALSA-2025_4488
AZL-45429
AZL-45435
AZL-45439
AZL-45769
BDU:2024-08621
CESA-2024_6784
CESA-2025_4063
CVE-2024-39908
DLA-4018-1
DLA-4018-2
ECHO-B0CC-A0A5-6BBA
GHSA-4XQQ-M2HX-25V8
GHSA-R55C-59QM-VJW6
GHSA-VG3R-RM7W-2XGH
INFSA-2024_6784
INFSA-2024_6785
INFSA-2025_4063
INFSA-2025_4488
MGASA-2025-0001
OESA-2024-2114
OPENSUSE-SU-2025:0129-1
RHSA-2024:6784
RHSA-2024:6785
RHSA-2024_6784
RHSA-2024_6785
RHSA-2025:4063
RHSA-2025:4488
RHSA-2025_4063
RHSA-2025_4488
RLSA-2024:6784
RLSA-2024:6785
SUSE-SU-2024:3874-1
USN-7091-1
USN-7091-2
USN-7256-1
USN-7256-2
USN-7418-1
USN-7840-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Rexml
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu