GHSA-2rxp-v6pw-ch6m

Source

https://github.com/advisories/GHSA-2rxp-v6pw-ch6m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-2rxp-v6pw-ch6m/GHSA-2rxp-v6pw-ch6m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-2rxp-v6pw-ch6m

Aliases

CVE-2024-49761

Downstream

MINI-ccr5-4hxf-p8rx

MINI-mr5h-rc2g-8v42

Related

Published

2024-10-28T14:10:18Z

Modified

2025-11-03T23:16:41.186562Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

REXML ReDoS vulnerability

Details

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

Database specific

{
    "cwe_ids": [
        "CWE-1333"
    ],
    "github_reviewed_at": "2024-10-28T14:10:18Z",
    "nvd_published_at": "2024-10-28T15:15:05Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

RubyGems / rexml

Package

Name: rexml
Purl: pkg:gem/rexml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.9

Affected versions

3.*

3.1.7.3

3.1.8

3.1.9

3.1.9.1

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8