CVE-2024-35176: REXML contains a denial of service vulnerability

Published May 16, 2024
·
Updated

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Other sources

REXML contains a denial of service vulnerability

Microsoft

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many <s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

Launchpad

Affected Software

13 affected componentsFixes available
redhat/REXML<3.2.7
3.2.7
rubygems/rexml<3.2.7
3.2.7
debian/ruby2.7<=2.7.4-1+deb11u1
2.7.4-1+deb11u5
debian/ruby3.1<=3.1.2-7+deb12u1
ruby-lang Rexml Ruby<3.2.7
Microsoft cbl2 rubygem-rexml 3.2.5-1
Patch available
Microsoft azl3 rubygem-rexml 3.2.6-1
Patch available
Microsoft azl3 ruby 3.3.0-4
Patch available
Microsoft cbl2 ruby 3.1.4-9
Patch available
Microsoft azl3 rubygem-rexml 3.2.8-1
Patch available
Microsoft cbl2 rubygem-rexml 3.2.7-1
Patch available
Microsoft azl3 ruby 3.3.3-1
Patch available
Microsoft cbl2 ruby 3.1.4-6
Patch available

Remediation

Patch Available

https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

Event History

May 16, 2024
CVE Published
via MITRE·03:13 PM
Data Sourced
via MITRE·03:13 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:15 PM
RemedyAffected Software
Advisory Published
via GitHub·05:44 PM
May 19, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Nov 5, 2024
Data Sourced
via Launchpad·06:46 AM
Description
Apr 11, 2025
Data Sourced
via Ubuntu·03:37 PM
RemedyDescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-35176?

CVE-2024-35176 has a denial of service (DoS) severity, affecting the REXML gem versions prior to 3.2.7.

2

How do I fix CVE-2024-35176?

To fix CVE-2024-35176, upgrade the REXML gem to version 3.2.7 or later.

3

Who is affected by CVE-2024-35176?

Users of REXML gem versions before 3.2.7 that parse untrusted XML data are particularly affected by CVE-2024-35176.

4

What versions of REXML are vulnerable to CVE-2024-35176?

REXML gem versions earlier than 3.2.7 are vulnerable to CVE-2024-35176.

5

Is there an alternative to REXML if I cannot update to fix CVE-2024-35176?

If you cannot update REXML, consider using other XML parsing libraries that do not have this vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203