Skip to content

DoS vulnerability in REXML

Low
kou published GHSA-5866-49gr-22v4 Aug 1, 2024

Package

bundler rexml (RubyGems)

Affected versions

< 3.3.3

Patched versions

3.3.3

Description

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

Severity

Low

CVE ID

CVE-2024-41946

Weaknesses

No CWEs

Credits