CVE-2024-41946Uncontrolled Resource Consumption in Rexml

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling13 documents8 sources
Severity
7.5HIGHNVD
CNA5.3OSV5.3
EPSS
0.7%
top 28.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ruby RexmlRuby-lang Rexml
Timeline
PublishedAug 1
Latest updateOct 27

Description

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5ruby/rexml< 3.3.3
NVDruby-lang/rexml< 3.3.3

Patches

Patch: github.com

🔴Vulnerability Details

6
OSV
ruby2.7 vulnerabilities2024-11-21
OSV
ruby3.0, ruby3.2, ruby3.3 vulnerabilities2024-11-05
GHSA
REXML DoS vulnerability2024-08-02
OSV
REXML DoS vulnerability2024-08-02
OSV
CVE-2024-41946: REXML is an XML toolkit for Ruby2024-08-01

📋Vendor Advisories

6
Ubuntu
Ruby vulnerabilities2025-10-27
Ubuntu
Ruby vulnerabilities2024-11-21
Ubuntu
Ruby vulnerabilities2024-11-05
Microsoft
REXML DoS vulnerability2024-08-13
Red Hat
rexml: DoS vulnerability in REXML2024-08-01
CVE-2024-41946 — Uncontrolled Resource Consumption | cvebase