vulnerability
Red Hat: CVE-2024-49761: rexml: REXML ReDoS vulnerability (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Oct 28, 2024 | Feb 10, 2025 | Mar 27, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Oct 28, 2024
Added
Feb 10, 2025
Modified
Mar 27, 2026
Description
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Solutions
redhat-upgrade-pcsredhat-upgrade-pcs-snmpredhat-upgrade-rubyredhat-upgrade-ruby-bundled-gemsredhat-upgrade-ruby-bundled-gems-debuginforedhat-upgrade-ruby-debuginforedhat-upgrade-ruby-debugsourceredhat-upgrade-ruby-default-gemsredhat-upgrade-ruby-develredhat-upgrade-ruby-docredhat-upgrade-ruby-irbredhat-upgrade-ruby-libsredhat-upgrade-ruby-libs-debuginforedhat-upgrade-rubygem-abrtredhat-upgrade-rubygem-abrt-docredhat-upgrade-rubygem-bigdecimalredhat-upgrade-rubygem-bigdecimal-debuginforedhat-upgrade-rubygem-bsonredhat-upgrade-rubygem-bson-debuginforedhat-upgrade-rubygem-bson-debugsourceredhat-upgrade-rubygem-bson-docredhat-upgrade-rubygem-bundlerredhat-upgrade-rubygem-bundler-docredhat-upgrade-rubygem-did_you_meanredhat-upgrade-rubygem-io-consoleredhat-upgrade-rubygem-io-console-debuginforedhat-upgrade-rubygem-irbredhat-upgrade-rubygem-jsonredhat-upgrade-rubygem-json-debuginforedhat-upgrade-rubygem-minitestredhat-upgrade-rubygem-mongoredhat-upgrade-rubygem-mongo-docredhat-upgrade-rubygem-mysql2redhat-upgrade-rubygem-mysql2-debuginforedhat-upgrade-rubygem-mysql2-debugsourceredhat-upgrade-rubygem-mysql2-docredhat-upgrade-rubygem-net-telnetredhat-upgrade-rubygem-opensslredhat-upgrade-rubygem-openssl-debuginforedhat-upgrade-rubygem-pgredhat-upgrade-rubygem-pg-debuginforedhat-upgrade-rubygem-pg-debugsourceredhat-upgrade-rubygem-pg-docredhat-upgrade-rubygem-power_assertredhat-upgrade-rubygem-psychredhat-upgrade-rubygem-psych-debuginforedhat-upgrade-rubygem-rakeredhat-upgrade-rubygem-rbsredhat-upgrade-rubygem-rbs-debuginforedhat-upgrade-rubygem-rdocredhat-upgrade-rubygem-rexmlredhat-upgrade-rubygem-rssredhat-upgrade-rubygem-test-unitredhat-upgrade-rubygem-typeprofredhat-upgrade-rubygem-xmlrpcredhat-upgrade-rubygemsredhat-upgrade-rubygems-devel
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.