Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Published

2024-10-28T15:15:05.157

Last Modified

2025-03-21T16:37:05.047

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-1333

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	ruby-lang	rexml	< 3.3.9	Yes
Application	ruby-lang	ruby	< 3.2.0	No
Application	netapp	ontap_tools	10	Yes

References

https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f Patch ([email protected])
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m Third Party Advisory ([email protected])
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761 Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20241227-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)