CVE-2024-39908

MEDIUM

Ruby-lang Rexml < 3.3.2 - Denial of Service

Title source: rule

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

Exploits (1)

nomisec STUB

by SpiralBL0CK · poc

https://github.com/SpiralBL0CK/CVE-2024-39908

View Code ZIP pw:eip

References (4)

[Vendor Advisory] https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8

[Vendor Advisory] https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250117-0008/

Scores

CVSS v3 4.3

EPSS 0.0803

EPSS Percentile 92.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Details

CWE

CWE-400

Status published

Products (3)

netapp/bootstrap_os

rubygems/rexml 0 - 3.3.2RubyGems

ruby-lang/rexml < 3.3.2

Published Jul 16, 2024

Tracked Since Feb 18, 2026