CVE-2024-39908
published 2024-07-16CVE-2024-39908: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``…
PriorityP420medium4.3CVSS 3.1
AVNACLPRNUIRSUCNINAL
EPSS
1.49%
70.9th percentile
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.3 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| msrc | azl3_ruby_3.3.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_ruby_3.3.5-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.2.8-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.3.4-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_ruby_3.1.4-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rubygem-rexml_3.2.7-4_on_cbl_mariner_2.0 | — | — |
| ruby-lang | rexml | < 3.3.2 | 3.3.2 |
| ruby | rexml | < 3.3.2 | 3.3.2 |
| ruby | rexml | >= 0 < 3.3.2 | 3.3.2 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_ubuntu5.3MEDIUM
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2025-10-27·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. T
OSV
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)
OSV
ruby2.7 vulnerabilities
osv·2024-11-21·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7 vulnerabilities
ruby2.7 vulnerabilities
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash
OSV
ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2024-11-05·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric character reference. An attacker
could use
OSV
CVE-2024-39908: REXML is an XML toolkit for Ruby
osv·2024-07-16·CVSS 4.3
CVE-2024-39908 [MEDIUM] CVE-2024-39908: REXML is an XML toolkit for Ruby
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
OSV
REXML denial of service vulnerability
osv·2024-07-16
CVE-2024-39908 [MEDIUM] REXML denial of service vulnerability
REXML denial of service vulnerability
### Impact
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
### Patches
The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
GHSA
REXML denial of service vulnerability
ghsa·2024-07-16
CVE-2024-39908 [MEDIUM] CWE-400 REXML denial of service vulnerability
REXML denial of service vulnerability
### Impact
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
### Patches
The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-10-27·CVSS 5.3
CVE-2024-47220 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS w
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-02-06
CVE-2024-43398 Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-11-21·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser AP
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-11-05·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric cha
Red Hat
rexml: DoS vulnerability in REXML
vendor_redhat·2024-07-16·CVSS 4.3
CVE-2024-39908 [MEDIUM] CWE-400 rexml: DoS vulnerability in REXML
rexml: DoS vulnerability in REXML
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
An uncontrolled resource consumption vulnerability was found in REXML. When parsing an untrusted XML with many specific characters such as ``, it can lead to a denial of service.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of
Microsoft
Denial of service in REXML
vendor_msrc·2024-07-09·CVSS 4.3
CVE-2024-39908 [MEDIUM] CWE-400 Denial of service in REXML
Denial of service in REXML
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/az
Debian
CVE-2024-39908: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulner...
vendor_debian·2024·CVSS 4.3
CVE-2024-39908 [MEDIUM] CVE-2024-39908: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulner...
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u3)
No detection rules found.
No public exploits indexed.
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8https://lists.debian.org/debian-lts-announce/2025/01/msg00011.htmlhttps://security.netapp.com/advisory/ntap-20250117-0008/https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908
2024-07-16
Published