CVE-2021-28965 in REXML Gem
Summary
by MITRE • 04/22/2021
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2026
The CVE-2021-28965 vulnerability affects the REXML gem in Ruby versions prior to specific patches, representing a significant XML processing flaw that can lead to data corruption and potential security implications. This vulnerability specifically targets the XML round-trip processing capabilities within the Ruby ecosystem, where documents undergo parsing and subsequent serialization operations. The flaw manifests when XML documents are processed through REXML's parsing mechanisms and then re-serialized, resulting in incorrect document outputs that may contain malformed or unexpected content. This issue impacts Ruby versions 2.6.6 and earlier, 2.7.2 and earlier, and 3.0.0 and earlier, making it a widespread concern across multiple Ruby release lines.
The technical root cause of this vulnerability stems from improper handling of XML round-trip scenarios within the REXML implementation. When an XML document is parsed and then serialized back to its string representation, the gem fails to maintain the original document structure and content integrity. This failure occurs during the transformation process where XML entities, attributes, or structural elements may be incorrectly interpreted or lost during the parsing-to-serialization cycle. The vulnerability is classified as a round-trip processing issue that can result in malformed XML output, potentially leading to downstream processing errors or security implications when the corrupted XML is consumed by other systems or applications. This behavior aligns with CWE-119, which addresses improper access to memory, and CWE-129, which covers insufficient validation of length of inputs, as the flawed processing can lead to unexpected content manipulation.
The operational impact of CVE-2021-28965 extends beyond simple data corruption, as it can create security risks when applications relying on XML processing are exposed to maliciously crafted input. Applications that process user-supplied XML content, such as web services, configuration parsers, or document processing systems, may be vulnerable to attacks that exploit this round-trip inconsistency. When malformed XML is processed through affected REXML versions, the resulting output can contain unexpected content that may be interpreted differently by consuming applications, potentially leading to injection attacks, data manipulation, or unexpected behavior in downstream systems. The vulnerability also affects applications that rely on XML serialization for data exchange, where the corrupted output could break compatibility with other systems expecting standard XML formats. This issue has particular relevance in environments where XML processing is critical for business operations or security-sensitive applications.
Organizations affected by this vulnerability should immediately upgrade to patched versions of Ruby and the REXML gem to eliminate the risk of XML round-trip corruption. The recommended remediation involves updating to Ruby 2.6.7, 2.7.3, or 3.0.1 and later, which contain the necessary fixes for the REXML processing inconsistencies. Security teams should conduct comprehensive vulnerability assessments to identify all applications using affected Ruby versions and ensure proper patching across the entire infrastructure. Additionally, organizations should implement monitoring for any unusual XML processing behavior or data corruption incidents that may indicate exploitation of this vulnerability. The ATT&CK framework categorizes this vulnerability under T1059.007 for XML External Entity (XXE) processing, though the specific nature of this vulnerability lies more in the serialization rather than external entity processing. Organizations should also consider implementing input validation controls and XML schema validation to provide additional layers of protection against potential exploitation of similar vulnerabilities in their XML processing pipelines.