CVE-2024-39908

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-39908
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39908.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-39908
Aliases
Downstream
Related
Published
2024-07-16T17:28:07Z
Modified
2025-10-20T20:27:18.420107Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Denial of service in REXML
Details

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

Database specific 
{
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/ruby/rexml

Affected ranges

Type
GIT
Repo
https://github.com/ruby/rexml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2b285ac0804f2918de642f7ed4646dc6d645a7fc

Affected versions

v3.*

v3.1.8
v3.1.9
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1