CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
ruby-langrexml
𝑥
< 3.3.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby2.7
bullseye
vulnerable
bookworm
no-dsa
bullseye (security)
2.7.4-1+deb11u5
fixed
ruby3.1
bookworm
vulnerable
bookworm (security)
vulnerable
ruby3.3
forky
3.3.8-2
fixed
sid
3.3.8-2
fixed
trixie
3.3.8-2
fixed
bookworm
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
questing
needs-triage
plucky
needs-triage
oracular
ignored
noble
needs-triage
jammy
dne
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
ruby2.3
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
Fixed 2.3.1-2~ubuntu16.04.16+esm10
released
ruby2.5
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 2.5.1-1ubuntu1.16+esm4
released
ruby2.7
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 2.7.0-5ubuntu1.15
released
ruby3.0
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.0.2-7ubuntu2.8
released
focal
dne
ruby3.2
questing
dne
plucky
dne
oracular
dne
noble
Fixed 3.2.3-1ubuntu0.24.04.3
released
jammy
dne
focal
dne
ruby3.3
questing
Fixed 3.3.4-2ubuntu6
released
plucky
Fixed 3.3.4-2ubuntu6
released
oracular
Fixed 3.3.4-2ubuntu5.1
released
noble
dne
jammy
dne
focal
dne
Common Weakness Enumeration
References
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
https://security.netapp.com/advisory/ntap-20241227-0004/