CVE-2024-41946: REXML DoS vulnerability
(updated )
The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.
If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.
References
- github.com/advisories/GHSA-5866-49gr-22v4
- github.com/ruby/rexml
- github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
- nvd.nist.gov/vuln/detail/CVE-2024-41946
- security.netapp.com/advisory/ntap-20250117-0007
- www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
Code Behaviors & Features
Detect and mitigate CVE-2024-41946 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →