{"id":"CVE-2024-49761","summary":"REXML ReDoS vulnerability","details":"REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.","aliases":["GHSA-2rxp-v6pw-ch6m"],"modified":"2026-04-12T04:27:28.191530Z","published":"2024-10-28T14:10:23.212Z","related":["ALSA-2024:10834","ALSA-2024:10850","ALSA-2024:10858","ALSA-2024:10860","CGA-4fmh-g28c-xxpv","MGASA-2025-0001","RLSA-2024:10858","SUSE-SU-2025:0736-1","SUSE-SU-2025:4264-1","SUSE-SU-2026:1066-1","openSUSE-SU-2025:0129-1"],"database_specific":{"cwe_ids":["CWE-1333"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49761.json"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"},{"type":"WEB","url":"https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49761.json"},{"type":"ADVISORY","url":"https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49761"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241227-0004/"},{"type":"FIX","url":"https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/rexml","events":[{"introduced":"0"},{"fixed":"38eaa86ac7abe0d31cf49d8df57ad239fdeb80e9"},{"fixed":"ce59f2eb1aeb371fe1643414f06618dbe031979f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.9"}]}}],"versions":["v3.1.8","v3.1.9","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.3.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49761.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"}]}