CVE-2024-41946
published 2024-08-01CVE-2024-41946: REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.19%
64.1th percentile
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| debian | ruby3.3 | < ruby2.7 2.7.4-1+deb11u3 (bullseye) | ruby2.7 2.7.4-1+deb11u3 (bullseye) |
| msrc | azl3_ruby_3.3.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.2.8-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rubygem-rexml_3.3.4-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_ruby_3.1.4-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_ruby_3.1.4-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rubygem-rexml_3.2.7-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rubygem-rexml_3.2.7-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| ruby-lang | rexml | < 3.3.3 | 3.3.3 |
| ruby | rexml | < 3.3.3 | 3.3.3 |
| ruby | rexml | >= 0 < 3.3.3 | 3.3.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2025-10-27·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS was previously addressed in USN-7256-1. T
OSV
ruby2.7 vulnerabilities
osv·2024-11-21·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7 vulnerabilities
ruby2.7 vulnerabilities
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash
OSV
ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2024-11-05·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric character reference. An attacker
could use
GHSA
REXML DoS vulnerability
ghsa·2024-08-02
CVE-2024-41946 [MEDIUM] CWE-400 REXML DoS vulnerability
REXML DoS vulnerability
### Impact
The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.
If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.
### Patches
The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
### Workarounds
Don't parse untrusted XMLs with SAX2 or pull parser API.
### References
* https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
OSV
REXML DoS vulnerability
osv·2024-08-02
CVE-2024-41946 [MEDIUM] REXML DoS vulnerability
REXML DoS vulnerability
### Impact
The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.
If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.
### Patches
The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
### Workarounds
Don't parse untrusted XMLs with SAX2 or pull parser API.
### References
* https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
OSV
CVE-2024-41946: REXML is an XML toolkit for Ruby
osv·2024-08-01·CVSS 7.5
CVE-2024-41946 [HIGH] CVE-2024-41946: REXML is an XML toolkit for Ruby
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-10-27·CVSS 5.3
CVE-2024-47220 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 18.04
LTS and Ubuntu 20.04 LTS were previously addressed in USN-7256-1 and
USN-7734-1. This update addresses the issue in Ubuntu 16.04 LTS.
(CVE-2024-35176)
It was discovered that the REXML module bunded into Ruby incorrectly
handled parsing XML documents with repeated instances of certain
characters. An attacker could possibly use this issue to cause REXML to
consume excessive resources, leading to a denial of service. Ubuntu 20.04
LTS w
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-11-21·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser AP
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-11-05·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric cha
Microsoft
REXML DoS vulnerability
vendor_msrc·2024-08-13·CVSS 7.5
CVE-2024-41946 [MEDIUM] CWE-400 REXML DoS vulnerability
REXML DoS vulnerability
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure
Red Hat
rexml: DoS vulnerability in REXML
vendor_redhat·2024-08-01·CVSS 5.3
CVE-2024-41946 [MEDIUM] CWE-400 rexml: DoS vulnerability in REXML
rexml: DoS vulnerability in REXML
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
A flaw was found in the REXML package. Reading an XML file that contains many entity expansions may lead to a denial of service due to resource starvation. An attacker can use this flaw to trick a user into processing an untrusted XML file.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: ruby:3.3/ruby (Red Hat Enterpri
Debian
CVE-2024-41946: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability wh...
vendor_debian·2024·CVSS 5.3
CVE-2024-41946 [MEDIUM] CVE-2024-41946: ruby2.7 - REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability wh...
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u3)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexmlhttps://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946https://lists.debian.org/debian-lts-announce/2025/01/msg00011.htmlhttps://security.netapp.com/advisory/ntap-20250117-0007/
2024-08-01
Published