CVE-2024-35176Uncontrolled Resource Consumption in Rexml

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling18 documents9 sources
Severity
5.3MEDIUMNVD
EPSS
6.9%
top 8.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ruby RexmlRuby-lang Rexml
Timeline
PublishedMay 16
Latest updateOct 27

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5ruby/rexml< 3.2.7
NVDruby-lang/rexml< 3.2.7

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

8
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities2025-10-27
OSV
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities2025-04-07
OSV
ruby2.7 vulnerabilities2024-11-21
OSV
ruby3.0, ruby3.2, ruby3.3 vulnerabilities2024-11-05
OSV
REXML contains a denial of service vulnerability2024-05-16

📋Vendor Advisories

8
Ubuntu
Ruby vulnerabilities2025-10-27
Ubuntu
Ruby vulnerabilities2025-09-03
Ubuntu
Ruby vulnerabilities2025-04-07
Ubuntu
Ruby vulnerabilities2024-11-21
Ubuntu
Ruby vulnerabilities2024-11-05

💬Community

1
HackerOne
[CVE-2024-35176] DoS vulnerability in REXML2024-08-23
CVE-2024-35176 — Uncontrolled Resource Consumption | cvebase