REXML 3.3.8 ReDoS via Hex Numeric Ref
CVE-2024-49761 Published on October 28, 2024
REXML ReDoS vulnerability
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Weakness Type
What is a ReDoS Vulnerability?
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:
CVE-2024-49761 has been classified to as a ReDoS vulnerability or weakness.
Products Associated with CVE-2024-49761
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-49761 are published in these products:
Affected Versions
ruby rexml:- Version < 3.3.9 is affected.
- Before 3.3.9 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-49761
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | rexml | < 3.3.9 | 3.3.9 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.