CVE-2024-49761

CWE-133318 documents11 sources
Severity
6.6MEDIUM
EPSS
0.9%
top 24.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ruby RexmlRuby-lang RexmlNetapp Ontap Tools
Timeline
PublishedOct 28
Latest updateNov 3

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages6 packages

CVEListV5ruby/rexml< 3.3.9
NVDruby-lang/rexml< 3.3.9
Debianruby2.7< 2.7.4-1+deb11u3
Debianruby3.3< 3.3.6-1+1
Ubunturuby2.7< 2.7.0-5ubuntu1.15

Also affects: Ontap Tools 10

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
ruby2.7 vulnerabilities2024-11-21
OSV
REXML ReDoS vulnerability2024-10-28
GHSA
REXML ReDoS vulnerability2024-10-28
CVEList
REXML ReDoS vulnerability2024-10-28
OSV
CVE-2024-49761: REXML is an XML toolkit for Ruby2024-10-28

📋Vendor Advisories

10
Apple
CVE-2024-49761: macOS Sequoia 15.7.22025-11-03
Apple
CVE-2024-49761: macOS Sonoma 14.8.22025-11-03
Apple
CVE-2024-49761: macOS Tahoe 26.12025-11-03
Red Hat
rexml: REXML: Denial of Service via inefficient regex parsing2025-09-25
Ubuntu
Ruby vulnerabilities2025-04-17

🕵️Threat Intelligence

1
Wiz
CVE-2025-10990 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
HackerOne
CVE-2024-49761: ReDoS vulnerability in REXML2024-11-30
CVE-2024-49761 (MEDIUM CVSS 6.6) | REXML is an XML toolkit for Ruby | cvebase.io