CVE-2024-39908

Published: Jul 16, 2024

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

Vendor	Product	Versions
ruby	rexml	affected `< 3.3.2`

Weaknesses (CWE)

CWE-400

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8

x_refsource_CONFIRM

https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-39908

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References