Search for packages
| purl | pkg:gem/rexml@3.3.7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-msc8-xjz2-2kb4
Aliases: CVE-2024-49761 GHSA-2rxp-v6pw-ch6m |
REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org |
Affected by 1 other vulnerability. |
|
VCID-trka-k7zz-bkh3
Aliases: CVE-2025-58767 GHSA-c2f4-jgmc-q2r5 |
REXML has DoS condition when parsing malformed XML file The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||