CVE-2024-35176 in rexml Geminfo

Summary

by MITRE • 05/16/2024

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/30/2025

The vulnerability identified as CVE-2024-35176 affects the REXML XML toolkit for Ruby, representing a denial of service condition that emerges during XML parsing operations. This issue specifically manifests when processing XML documents containing excessive numbers of less-than characters within attribute values, creating a scenario where the parsing mechanism becomes overwhelmed and unresponsive. The vulnerability resides in the gem's parsing algorithm which fails to properly handle malformed or maliciously constructed XML input, particularly when attribute values contain an excessive concentration of opening angle brackets that disrupt normal parsing flow.

The technical flaw in REXML stems from inadequate input validation and parsing loop management within the attribute value processing component. When the parser encounters XML containing numerous consecutive less-than characters within attribute values, it enters an inefficient processing state where the parsing logic repeatedly attempts to interpret these characters as XML markup elements rather than literal attribute content. This creates a resource exhaustion condition where CPU cycles are consumed disproportionately, leading to system unresponsiveness and potential application crashes. The vulnerability operates at the parsing layer of the XML processing stack and is classified under CWE-400, which addresses uncontrolled resource consumption, specifically in the context of input processing and parsing operations.

The operational impact of this vulnerability extends significantly to applications that process untrusted XML data, including web services, API endpoints, and any system that accepts XML input from external sources without proper sanitization. Attackers can exploit this weakness by crafting malicious XML documents with excessive less-than characters in attribute values, causing the affected applications to consume excessive computational resources or become completely unresponsive. This makes the vulnerability particularly dangerous in high-traffic environments where denial of service can result in significant service disruption and potential business impact. Systems utilizing REXML for XML processing and validation are at risk when they handle user-supplied or third-party XML content without proper input validation measures.

Organizations affected by this vulnerability should immediately upgrade to REXML gem version 3.2.7 or later, which incorporates the necessary patch to address the parsing inefficiency and resource consumption issues. The patch implements enhanced input validation and more robust parsing loop management to prevent the excessive resource consumption that previously occurred when processing malformed XML attributes. In addition to the upgrade path, administrators should implement defensive measures such as input sanitization, XML schema validation, and rate limiting for XML processing operations. The recommended workaround of avoiding untrusted XML parsing entirely should be considered a temporary mitigation while proper upgrades are implemented, aligning with ATT&CK technique T1499.004 for resource exhaustion attacks. Security teams should also monitor their applications for potential exploitation attempts and implement proper logging of XML processing activities to detect anomalous parsing patterns that may indicate attempted exploitation of this vulnerability.

Responsible

GitHub, Inc.

Reservation

05/10/2024

Disclosure

05/16/2024

Moderation

accepted

CPE

ready

EPSS

0.02064

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!