VulnerableCode Package Details - pkg:gem/rexml@3.3.7

Search for packages

Package details: pkg:gem/rexml@3.3.7

Essentials
History (1)

purl	pkg:gem/rexml@3.3.7

Next non-vulnerable version	3.3.9
Latest non-vulnerable version	3.3.9
Risk	3.4

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-bdtz-3mgw-4kga Aliases: CVE-2024-49761 GHSA-2rxp-v6pw-ch6m	REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org	3.3.9 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:14:19.444569+00:00	GitLab Importer	Affected by	VCID-bdtz-3mgw-4kga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rexml/CVE-2024-49761.yml	37.0.0