CVE-2024-39908

MEDIUM

REXML < 3.3.2 - Denial of Service via Malformed XML Parsing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-39908. PoCs published by SpiralBL0CK.

AI-analyzed exploit summary The repository contains only a minimal README with no exploit code, technical details, or functional proof-of-concept. It is a placeholder with no substantive content.

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

Exploits (1)

nomisec STUB
by SpiralBL0CK · poc
https://github.com/SpiralBL0CK/CVE-2024-39908

The repository contains only a minimal README with no exploit code, technical details, or functional proof-of-concept. It is a placeholder with no substantive content.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 4.3
EPSS 0.0833
EPSS Percentile 92.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (3)
netapp/bootstrap_os
ruby-lang/rexml < 3.3.2
rubygems/rexml 0 - 3.3.2RubyGems
Published Jul 16, 2024
Tracked Since Feb 18, 2026