CVE-2024-35176: DoS vulnerability in REXML

Posted by kou on 16 May 2024

There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-35176. We strongly recommend upgrading the REXML gem.

Details

When parsing an XML document that has many > in an attribute value, REXML gem may take long time.

Please update REXML gem to version 3.2.7 or later.

Affected versions

REXML gem 3.2.6 or prior

Credits

Thanks to mprogrammer for discovering this issue.

History

Originally published at 2024-05-16 05:00:00 (UTC)

Recent News

Redesign our Site Identity

We are excited to announce a comprehensive redesign of our site. The design for this update was created by Taeko Akatsuka.

Posted by Hiroshi SHIBATA on 22 Dec 2025

Ruby 4.0.0 preview3 Released

We are pleased to announce the release of Ruby 4.0.0-preview3. Ruby 4.0 introduces Ruby::Box and “ZJIT”, and adds many improvements.

Posted by naruse on 18 Dec 2025

Ruby 3.4.8 Released

Ruby 3.4.8 has been released.

Posted by k0kubun on 17 Dec 2025

Ruby 4.0.0 preview2 Released

We are pleased to announce the release of Ruby 4.0.0-preview2. Ruby 4.0 updates its Unicode version to 17,0.0, and so on.

Posted by naruse on 17 Nov 2025

More News...

News