Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-49761: ReDoS vulnerability in REXML

Medium
I
Internet Bug Bounty
Submitted None

Team Summary

Official summary from Internet Bug Bounty

###CVE-2024-49761: ReDoS vulnerability in REXML There is a ReDoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-49761. We strongly recommend upgrading the REXML gem. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ###Details When parsing an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). Please update REXML gem to version 3.3.9 or later. ###Affected versions REXML gem 3.3.8 or prior with Ruby 3.1 or prior

Actions:
View on HackerOne
Reported by manun

Vulnerability Details

Technical details and impact analysis

Uncontrolled Resource Consumption
Hi, When [REXML](https://github.com/ruby/rexml) is used to parse an XML that has many digits between `&#` and `x...;` in a hex numeric character reference `(&#x...;)` may lead to ReDos. Advisory: https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/ ## Impact Reduced performance or Denial of Service was possible where REXML is used to parse user input.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Uncontrolled Resource Consumption