PT-2024-8321 · Ruby +11 · Ruby +11

Manun

Published

2024-10-28

Updated

2025-07-15

CVE-2024-49761

Report an issue

CVSS v2.0

7.8

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions:

REXML gem versions prior to 3.3.9

Ruby 3.1

Description:

The issue is related to a ReDoS vulnerability in the REXML gem when parsing XML with many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This vulnerability can be exploited to perform a denial-of-service attack. The vulnerability does not affect Ruby 3.2 or later. Ruby 3.1 is the only maintained Ruby version that is affected.

Recommendations:

For REXML gem versions prior to 3.3.9, update to version 3.3.9 or later to fix the vulnerability.

For Ruby 3.1, consider using Ruby 3.2 or later instead, as Ruby 3.1 will reach end-of-life in 2025.

Exploit

Fix

DoS

Weakness Enumeration

CWE-1333

Related Identifiers

ALSA-2024:10834

ALSA-2024:10850

ALSA-2024:10858

ALSA-2024:10860

BDU:2024-09876

CESA-2024_10834

CESA-2024_10850

CESA-2025_11047

CVE-2024-49761

DLA-4018-1

DLA-4018-2

GHSA-2RXP-V6PW-CH6M

INFSA-2024_10834

INFSA-2024_10850

INFSA-2024_10858

INFSA-2024_10860

INFSA-2025_11047

MGASA-2025-0001

OPENSUSE-SU-2025:0129-1

OPENSUSE-SU-2025_0736-1

RHSA-2024:10777

RHSA-2024:10834

RHSA-2024:10850

RHSA-2024:10858

RHSA-2024:10860

RHSA-2024:10961

RHSA-2024:10964

RHSA-2024:10966

RHSA-2024:10977

RHSA-2024:10982

RHSA-2024:10984

RHSA-2024:11001

RHSA-2024:11027

RHSA-2024:11028

RHSA-2024:11029

RHSA-2024_10834

RHSA-2024_10850

RHSA-2024_10858

RHSA-2024_10860

RHSA-2025:11047

RHSA-2025_11047

RLSA-2024:10834

RLSA-2024:10850

RLSA-2024:10858

RLSA-2024:10860

SUSE-SU-2025:0736-1

USN-7091-1

USN-7091-2

USN-7442-1

Affected Products

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Rexml

Red Hat

Red Os

Rocky Linux

Ruby

Suse

Ubuntu

PT-2024-8321 · Ruby +11 · Ruby +11

Weakness Enumeration

Related Identifiers

Affected Products

References · 131