The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &#
and x...;
in a hex numeric character reference (&#x...;
).
This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Use Ruby 3.2 or later instead of Ruby 3.1.
{ "nvd_published_at": "2024-10-28T15:15:05Z", "cwe_ids": [ "CWE-1333" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-10-28T14:10:18Z" }