CVE-2024-41946

MEDIUM

Ruby-lang Rexml < 3.3.3 - Denial of Service

Title source: rule

Description

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250117-0007/

Vendor Advisory x_refsource_confirm

https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4

Patch x_refsource_misc

https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

View Patch ZIP pw:eip

Not Applicable x_refsource_misc

https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml

Vendor Advisory x_refsource_misc

https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946

Scores

CVSS v3 5.3

EPSS 0.0066

EPSS Percentile 71.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

ruby-lang/rexml < 3.3.3

rubygems/rexml 0 - 3.3.3RubyGems

Published Aug 01, 2024

Tracked Since Feb 18, 2026