VulnerableCode Package Details - pkg:ebuild/dev-ruby/rexml@3.3.9

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-c5xq-bv4t-73ff	REXML contains a denial of service vulnerability ### Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/	CVE-2024-35176 GHSA-vg3r-rm7w-2xgh
VCID-jdtw-bn8z-e3b6	REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org	CVE-2024-43398 GHSA-vmwr-mc7x-5vc3
VCID-m6hy-vnf9-hyfe	REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org	CVE-2024-41946 GHSA-5866-49gr-22v4
VCID-msc8-xjz2-2kb4	REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org	CVE-2024-49761 GHSA-2rxp-v6pw-ch6m
VCID-qu1w-yd76-t7c1	REXML denial of service vulnerability ### Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/	CVE-2024-39908 GHSA-4xqq-m2hx-25v8
VCID-yj1t-rga1-x3ev	REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org	CVE-2024-41123 GHSA-r55c-59qm-vjw6

Vulnerability

Summary

Aliases

VCID-c5xq-bv4t-73ff

REXML contains a denial of service vulnerability ### Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

CVE-2024-35176
GHSA-vg3r-rm7w-2xgh

VCID-jdtw-bn8z-e3b6

REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

CVE-2024-43398
GHSA-vmwr-mc7x-5vc3

VCID-m6hy-vnf9-hyfe

REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

CVE-2024-41946
GHSA-5866-49gr-22v4

VCID-msc8-xjz2-2kb4

REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

CVE-2024-49761
GHSA-2rxp-v6pw-ch6m

VCID-qu1w-yd76-t7c1

REXML denial of service vulnerability ### Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

CVE-2024-39908
GHSA-4xqq-m2hx-25v8

VCID-yj1t-rga1-x3ev

REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

CVE-2024-41123
GHSA-r55c-59qm-vjw6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:58:32.082575+00:00	Gentoo Importer	Fixing	VCID-msc8-xjz2-2kb4	https://security.gentoo.org/glsa/202507-08	38.0.0
2026-04-01T12:58:32.074180+00:00	Gentoo Importer	Fixing	VCID-jdtw-bn8z-e3b6	https://security.gentoo.org/glsa/202507-08	38.0.0
2026-04-01T12:58:32.065768+00:00	Gentoo Importer	Fixing	VCID-m6hy-vnf9-hyfe	https://security.gentoo.org/glsa/202507-08	38.0.0
2026-04-01T12:58:32.057464+00:00	Gentoo Importer	Fixing	VCID-yj1t-rga1-x3ev	https://security.gentoo.org/glsa/202507-08	38.0.0
2026-04-01T12:58:32.049254+00:00	Gentoo Importer	Fixing	VCID-qu1w-yd76-t7c1	https://security.gentoo.org/glsa/202507-08	38.0.0
2026-04-01T12:58:32.040431+00:00	Gentoo Importer	Fixing	VCID-c5xq-bv4t-73ff	https://security.gentoo.org/glsa/202507-08	38.0.0