Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-39908

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

Published

2024-07-16T18:15:08.167

Last Modified

2025-09-19T15:50:19.523

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	ruby-lang	rexml	< 3.3.2	Yes
Operating System	netapp	bootstrap_os	-	Yes
Hardware	netapp	hci_compute_node	-	No

References

https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 Vendor Advisory ([email protected])
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908 Vendor Advisory ([email protected])
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20250117-0008/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)