CVE-2024-35176
published 2024-05-16CVE-2024-35176: REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
2.06%
79.0th percentile
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| msrc | azl3_ruby_3.3.0-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_ruby_3.3.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.2.6-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.2.8-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_ruby_3.1.4-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_ruby_3.1.4-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rubygem-rexml_3.2.5-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rubygem-rexml_3.2.7-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| ruby-lang | rexml | < 3.2.7 | 3.2.7 |
| ruby | rexml | < 3.2.7 | 3.2.7 |
| ruby | rexml | >= 0 < 3.2.7 | 3.2.7 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-10-27·CVSS 5.3
CVE-2024-47220 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS w
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-09-03·CVSS 9.8
CVE-2024-27282 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain IO stream
methods. A remote attacker could use this issue to cause Ruby to crash,
resulting in a denial of service, or possibly obtain sensitive
information. This issue only affected Ubuntu 18.04 LTS. (CVE-2024-27280)
It was discovered that the Ruby regex compiler incorrectly handled
certain memory operations. A remote attacker could possibly use this
issue to obtain sensitive memory contents. This issue only affected
Ubuntu 18.04 LTS. (CVE-2024-27282)
It was discovered that Ruby incorrectly handled parsing of certain XML
characters through the REXML gem. An attacker could use this issue to
cause Ruby to crash, resulting in a denial of service. This i
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-11-21·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser AP
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-11-05·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric cha
Red Hat
REXML: DoS parsing an XML with many `<`s in an attribute value
vendor_redhat·2024-05-16·CVSS 5.3
CVE-2024-35176 [MEDIUM] CWE-770 REXML: DoS parsing an XML with many `<`s in an attribute value
REXML: DoS parsing an XML with many `<`s in an attribute value
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
Package: ruby (Red Hat Enterprise Linux 10) - Fix deferred
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 7) - Fix deferred
Package: ruby:3.1/ruby (Red Hat Enterprise Linux 8) - Fix deferred
Package: ruby:3.3/ruby (Red Hat Enterprise Linux 8) - Fix deferred
Package: pcs (Red Hat Enterprise Linux 9) - Fix defer
Microsoft
REXML contains a denial of service vulnerability
vendor_msrc·2024-05-14·CVSS 5.3
CVE-2024-35176 [MEDIUM] CWE-400 REXML contains a denial of service vulnerability
REXML contains a denial of service vulnerability
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.
Debian
CVE-2024-35176: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of ser...
vendor_debian·2024·CVSS 5.3
CVE-2024-35176 [MEDIUM] CVE-2024-35176: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of ser...
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u3)
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2025-10-27·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. T
OSV
ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2025-09-03·CVSS 9.8
CVE-2024-27280 [CRITICAL] ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled certain IO stream
methods. A remote attacker could use this issue to cause Ruby to crash,
resulting in a denial of service, or possibly obtain sensitive
information. This issue only affected Ubuntu 18.04 LTS. (CVE-2024-27280)
It was discovered that the Ruby regex compiler incorrectly handled
certain memory operations. A remote attacker could possibly use this
issue to obtain sensitive memory contents. This issue only affected
Ubuntu 18.04 LTS. (CVE-2024-27282)
It was discovered that Ruby incorrectly handled parsing of certain XML
characters through the REXML gem. An attacker could use this issue to
cause Ruby to crash, resulting in a denial of service. This issue only
affected Ubu
OSV
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)
OSV
ruby2.7 vulnerabilities
osv·2024-11-21·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7 vulnerabilities
ruby2.7 vulnerabilities
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash
OSV
ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2024-11-05·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric character reference. An attacker
could use
OSV
REXML contains a denial of service vulnerability
osv·2024-05-16
CVE-2024-35176 [MEDIUM] REXML contains a denial of service vulnerability
REXML contains a denial of service vulnerability
### Impact
The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value.
If you need to parse untrusted XMLs, you may be impacted to this vulnerability.
### Patches
The REXML gem 3.2.7 or later include the patch to fix this vulnerability.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
OSV
CVE-2024-35176: REXML is an XML toolkit for Ruby
osv·2024-05-16·CVSS 5.3
CVE-2024-35176 [MEDIUM] CVE-2024-35176: REXML is an XML toolkit for Ruby
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
GHSA
REXML contains a denial of service vulnerability
ghsa·2024-05-16
CVE-2024-35176 [MEDIUM] CWE-400 REXML contains a denial of service vulnerability
REXML contains a denial of service vulnerability
### Impact
The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value.
If you need to parse untrusted XMLs, you may be impacted to this vulnerability.
### Patches
The REXML gem 3.2.7 or later include the patch to fix this vulnerability.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
No detection rules found.
No public exploits indexed.
HackerOne
Uncontrolled Resource Consumption when parsing maliciously crafted XML with REXML
hackerone·2025-02-20·CVSS 5.3
[MEDIUM] Uncontrolled Resource Consumption when parsing maliciously crafted XML with REXML
Uncontrolled Resource Consumption when parsing maliciously crafted XML with REXML
Paste this code into a python file:
```
start = ""
middle = "" + "" * 1
end = ""
print(start)
COUNT = 2000
for _ in range(COUNT):
print(middle)
print(end)
```
and then redirect the output of this program to a file: `python pwn.py > pwn.xml`
then when this file is passed to `REXML::Document.new` in a program like this:
```
require 'timeout'
require 'rexml/document'
include REXML
puts "Reading input from stdin..."
input = ARGF.read
puts "Parsing input..."
REXML::Document.new input
puts "Done!"
```
the program hangs and CPU consumption jumps to 100%
The `CTRL-C` trace gives a hint at what could be going on:
```
from /usr/local/lib/ruby/gems/3.4.0+0/gems/rexml-3.3.5/lib/rexml/element.rb:623:in `namespa
HackerOne
[CVE-2024-35176] DoS vulnerability in REXML
hackerone·2024-08-23·CVSS 5.3
CVE-2024-35176 [MEDIUM] [CVE-2024-35176] DoS vulnerability in REXML
[CVE-2024-35176] DoS vulnerability in REXML
I sent my original report here: https://hackerone.com/reports/2490560
REXML had a vulnerability where repeated `>` characters in an attribute value took a very long time for the parser to finish.
The wait times increased exponentially the larger the string.
## Impact
Reduced performance or Denial of Service was possible where REXML is used to parse user input.
Rails uses REXML to convert XML to a hash, so this was susceptible:
```rb
Hash.from_xml(request.body.read)
```
CVE-2024-35176: DoS vulnerability in REXML
There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-35176. We strongly recommend upgrading the REXML gem.
Details
When parsing an XML document that has many < in an attribute va
https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfbhttps://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xghhttps://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfbhttps://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xghhttps://lists.debian.org/debian-lts-announce/2025/01/msg00011.htmlhttps://security.netapp.com/advisory/ntap-20250306-0001/https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
2024-05-16
Published