CVE-2024-49761

moderate-risk

Published 2024-10-28

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Do I need to act?

0.90% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (2)

Rexml

Ontap Tools

Affected Vendors

Netapp Ruby-Lang

References (5)

Patch https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

Third Party Advisory https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m

Vendor Advisory https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20241227-0004/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 7/34 · Low