VulnerableCode Package Details - pkg:gem/rexml@3.3.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-bdtz-3mgw-4kga Aliases: CVE-2024-49761 GHSA-2rxp-v6pw-ch6m	REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org	3.3.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-bdtz-3mgw-4kga
Aliases:
CVE-2024-49761
GHSA-2rxp-v6pw-ch6m

REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

3.3.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-v8uu-3mwj-j3a9	REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org	CVE-2024-43398 GHSA-vmwr-mc7x-5vc3

Vulnerability

Summary

Aliases

VCID-v8uu-3mwj-j3a9

REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

CVE-2024-43398
GHSA-vmwr-mc7x-5vc3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:14:19.442084+00:00	GitLab Importer	Affected by	VCID-bdtz-3mgw-4kga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml	37.0.0
2025-07-03T13:57:08.278286+00:00	GitLab Importer	Fixing	VCID-v8uu-3mwj-j3a9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-43398.yml	36.1.3
2025-07-01T14:35:26.492050+00:00	GHSA Importer	Fixing	VCID-v8uu-3mwj-j3a9	https://github.com/advisories/GHSA-vmwr-mc7x-5vc3	36.1.3
2025-07-01T12:10:12.600389+00:00	GithubOSV Importer	Fixing	VCID-v8uu-3mwj-j3a9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-vmwr-mc7x-5vc3/GHSA-vmwr-mc7x-5vc3.json	36.1.3