VulnerableCode Package Details - pkg:gem/rexml@3.3.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-msc8-xjz2-2kb4 Aliases: CVE-2024-49761 GHSA-2rxp-v6pw-ch6m	REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org	3.3.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-trka-k7zz-bkh3 Aliases: CVE-2025-58767 GHSA-c2f4-jgmc-q2r5	REXML has DoS condition when parsing malformed XML file The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.	3.4.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-msc8-xjz2-2kb4
Aliases:
CVE-2024-49761
GHSA-2rxp-v6pw-ch6m

REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

3.3.9
Affected by 1 other vulnerability.

VCID-trka-k7zz-bkh3
Aliases:
CVE-2025-58767
GHSA-c2f4-jgmc-q2r5

REXML has DoS condition when parsing malformed XML file The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

3.4.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-jdtw-bn8z-e3b6	REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org	CVE-2024-43398 GHSA-vmwr-mc7x-5vc3

Vulnerability

Summary

Aliases

VCID-jdtw-bn8z-e3b6

REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

CVE-2024-43398
GHSA-vmwr-mc7x-5vc3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:44:21.306715+00:00	GitLab Importer	Affected by	VCID-trka-k7zz-bkh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2025-58767.yml	38.4.0
2026-04-16T23:12:31.155661+00:00	GitLab Importer	Affected by	VCID-msc8-xjz2-2kb4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml	38.4.0
2026-04-16T17:41:31.003420+00:00	Ruby Importer	Affected by	VCID-trka-k7zz-bkh3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml	38.4.0
2026-04-12T01:05:12.647934+00:00	GitLab Importer	Affected by	VCID-trka-k7zz-bkh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2025-58767.yml	38.3.0
2026-04-12T00:30:58.065119+00:00	GitLab Importer	Affected by	VCID-msc8-xjz2-2kb4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml	38.3.0
2026-04-11T21:39:25.686521+00:00	Ruby Importer	Affected by	VCID-trka-k7zz-bkh3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml	38.3.0
2026-04-03T01:13:36.860558+00:00	GitLab Importer	Affected by	VCID-trka-k7zz-bkh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2025-58767.yml	38.1.0
2026-04-03T00:38:39.058725+00:00	GitLab Importer	Affected by	VCID-msc8-xjz2-2kb4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml	38.1.0
2026-04-02T19:36:57.089577+00:00	Ruby Importer	Affected by	VCID-trka-k7zz-bkh3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml	38.1.0
2026-04-02T12:39:57.321282+00:00	GitLab Importer	Fixing	VCID-jdtw-bn8z-e3b6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-43398.yml	38.0.0
2026-04-01T16:06:17.472240+00:00	GHSA Importer	Fixing	VCID-jdtw-bn8z-e3b6	https://github.com/advisories/GHSA-vmwr-mc7x-5vc3	38.0.0
2026-04-01T15:54:32.193755+00:00	Ruby Importer	Affected by	VCID-trka-k7zz-bkh3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml	38.0.0
2026-04-01T12:50:44.737690+00:00	GithubOSV Importer	Fixing	VCID-jdtw-bn8z-e3b6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-vmwr-mc7x-5vc3/GHSA-vmwr-mc7x-5vc3.json	38.0.0