VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-bdtz-3mgw-4kga

Essentials
Severities (29)
References (34)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-bdtz-3mgw-4kga
Aliases	CVE-2024-49761 GHSA-2rxp-v6pw-ch6m
Summary	REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1333	Inefficient Regular Expression Complexity
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49761.json
epss	0.00361	https://api.first.org/data/v1/epss?cve=CVE-2024-49761
epss	0.00473	https://api.first.org/data/v1/epss?cve=CVE-2024-49761
epss	0.00473	https://api.first.org/data/v1/epss?cve=CVE-2024-49761
epss	0.00473	https://api.first.org/data/v1/epss?cve=CVE-2024-49761
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-2rxp-v6pw-ch6m
cvssv3.1	7.5	https://github.com/ruby/rexml
generic_textual	MODERATE	https://github.com/ruby/rexml
cvssv3.1	7.5	https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
cvssv4	6.6	https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
generic_textual	MODERATE	https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
ssvc	Track	https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
cvssv3	7.5	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
cvssv3.1	7.5	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
cvssv3.1_qr	MODERATE	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
cvssv4	6.6	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
generic_textual	MODERATE	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
ssvc	Track	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
cvssv3.1	7.5	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2024-49761
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-49761
cvssv3.1	7.5	https://security.netapp.com/advisory/ntap-20241227-0004
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20241227-0004
cvssv3.1	7.5	https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
cvssv4	6.6	https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
generic_textual	MODERATE	https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
ssvc	Track	https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49761.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-49761
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49761
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/ruby/rexml
		https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
		https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml
		https://nvd.nist.gov/vuln/detail/CVE-2024-49761
		https://security.netapp.com/advisory/ntap-20241227-0004
		https://security.netapp.com/advisory/ntap-20241227-0004/
		https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
1103790		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103790
2322153		https://bugzilla.redhat.com/show_bug.cgi?id=2322153
cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::
GHSA-2rxp-v6pw-ch6m		https://github.com/advisories/GHSA-2rxp-v6pw-ch6m
RHSA-2024:10777		https://access.redhat.com/errata/RHSA-2024:10777
RHSA-2024:10834		https://access.redhat.com/errata/RHSA-2024:10834
RHSA-2024:10850		https://access.redhat.com/errata/RHSA-2024:10850
RHSA-2024:10858		https://access.redhat.com/errata/RHSA-2024:10858
RHSA-2024:10860		https://access.redhat.com/errata/RHSA-2024:10860
RHSA-2024:10961		https://access.redhat.com/errata/RHSA-2024:10961
RHSA-2024:10964		https://access.redhat.com/errata/RHSA-2024:10964
RHSA-2024:10966		https://access.redhat.com/errata/RHSA-2024:10966
RHSA-2024:10977		https://access.redhat.com/errata/RHSA-2024:10977
RHSA-2024:10982		https://access.redhat.com/errata/RHSA-2024:10982
RHSA-2024:10984		https://access.redhat.com/errata/RHSA-2024:10984
RHSA-2024:11001		https://access.redhat.com/errata/RHSA-2024:11001
RHSA-2024:11027		https://access.redhat.com/errata/RHSA-2024:11027
RHSA-2024:11028		https://access.redhat.com/errata/RHSA-2024:11028
RHSA-2024:11029		https://access.redhat.com/errata/RHSA-2024:11029
USN-7091-1		https://usn.ubuntu.com/7091-1/
USN-7091-2		https://usn.ubuntu.com/7091-2/
USN-7442-1		https://usn.ubuntu.com/7442-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49761.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/ruby/rexml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/ Found at https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/ Found at https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20241227-0004

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/ Found at https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

Exploit Prediction Scoring System (EPSS)

Percentile	0.57456
EPSS Score	0.00361
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:08:43.464433+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-2rxp-v6pw-ch6m/GHSA-2rxp-v6pw-ch6m.json	36.1.3