Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/rexml@3.3.9
purl pkg:gem/rexml@3.3.9
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 2.4
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-trka-k7zz-bkh3
Aliases:
CVE-2025-58767
GHSA-c2f4-jgmc-q2r5
REXML has DoS condition when parsing malformed XML file The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
3.4.2
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-msc8-xjz2-2kb4 REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org CVE-2024-49761
GHSA-2rxp-v6pw-ch6m

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T23:44:21.317304+00:00 GitLab Importer Affected by VCID-trka-k7zz-bkh3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2025-58767.yml 38.4.0
2026-04-16T23:12:31.165375+00:00 GitLab Importer Fixing VCID-msc8-xjz2-2kb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml 38.4.0
2026-04-16T17:41:31.007289+00:00 Ruby Importer Affected by VCID-trka-k7zz-bkh3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml 38.4.0
2026-04-12T01:05:12.659374+00:00 GitLab Importer Affected by VCID-trka-k7zz-bkh3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2025-58767.yml 38.3.0
2026-04-12T00:30:58.076233+00:00 GitLab Importer Fixing VCID-msc8-xjz2-2kb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml 38.3.0
2026-04-11T21:39:25.698728+00:00 Ruby Importer Affected by VCID-trka-k7zz-bkh3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml 38.3.0
2026-04-07T04:56:17.930910+00:00 GHSA Importer Fixing VCID-msc8-xjz2-2kb4 https://github.com/advisories/GHSA-2rxp-v6pw-ch6m 38.1.0
2026-04-03T01:13:36.871081+00:00 GitLab Importer Affected by VCID-trka-k7zz-bkh3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2025-58767.yml 38.1.0
2026-04-03T00:38:39.069641+00:00 GitLab Importer Fixing VCID-msc8-xjz2-2kb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml 38.1.0
2026-04-02T19:36:57.094130+00:00 Ruby Importer Affected by VCID-trka-k7zz-bkh3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml 38.1.0
2026-04-02T12:40:18.396971+00:00 GitLab Importer Fixing VCID-msc8-xjz2-2kb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml 38.0.0
2026-04-01T15:54:32.207141+00:00 Ruby Importer Affected by VCID-trka-k7zz-bkh3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml 38.0.0
2026-04-01T12:49:15.387267+00:00 GithubOSV Importer Fixing VCID-msc8-xjz2-2kb4 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-2rxp-v6pw-ch6m/GHSA-2rxp-v6pw-ch6m.json 38.0.0