CVE-2024-43398

low-risk

Published 2024-08-22

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Do I need to act?

1.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Rexml

Bootstrap Os

Affected Vendors

Netapp Ruby-Lang

References (4)

Release Notes https://github.com/ruby/rexml/releases/tag/v3.3.6

Vendor Advisory https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3

https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20250103-0006/

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 3/34 · Minimal

Exposure 7/34 · Low