CVE-2024-49761 in rexml Gem
Summary
by MITRE • 10/28/2024
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/09/2025
The vulnerability identified as CVE-2024-49761 represents a Regular Expression Denial of Service (ReDoS) flaw within the REXML XML toolkit for Ruby applications. This vulnerability specifically manifests when the gem processes XML documents containing excessive numeric sequences between the &# and x...; delimiters in hex numeric character references. The affected version range includes REXML gem versions prior to 3.3.9, making it a significant concern for applications that rely on XML parsing functionality. The vulnerability is particularly noteworthy because it only affects Ruby 3.1, while Ruby 3.2 and later versions are immune to this particular issue, indicating a targeted regression in the parsing logic that was subsequently addressed in the patched releases.
The technical implementation of this vulnerability stems from the way REXML handles hex numeric character references during XML parsing operations. When encountering malformed XML with numerous digits between the &#x and ; delimiters, the regular expressions used for validation and parsing become susceptible to catastrophic backtracking patterns. This occurs because the parsing algorithm attempts to match increasingly complex patterns as the number of digits grows, leading to exponential execution time growth. The vulnerability falls under CWE-400, which specifically addresses Uncontrolled Resource Consumption, and more precisely maps to CWE-1321, which deals with Regular Expression Denial of Service. The attack vector involves sending specially crafted XML payloads that contain extended sequences of hexadecimal digits within character references, causing the parsing process to consume excessive computational resources.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially enabling denial of service attacks against applications that utilize REXML for XML processing. Attackers can exploit this weakness by submitting XML documents containing malformed hex numeric character references with extended digit sequences, causing the target application to experience significant processing delays or complete resource exhaustion. This vulnerability particularly affects web applications, API endpoints, and any system that processes untrusted XML input through REXML, creating opportunities for attackers to disrupt service availability. The specific targeting of Ruby 3.1 makes this vulnerability particularly concerning for legacy applications that have not yet been upgraded to newer Ruby versions, as these systems remain exposed to the attack surface.
Mitigation strategies for CVE-2024-49761 primarily involve upgrading to REXML gem version 3.3.9 or later, which includes the necessary patch to address the vulnerable regular expression patterns. Organizations should prioritize this upgrade across all affected systems, particularly those running Ruby 3.1, as the vulnerability does not exist in Ruby 3.2 and later releases. Additional protective measures include implementing input validation and sanitization for XML content, establishing rate limiting for XML processing endpoints, and deploying monitoring solutions to detect unusual processing patterns that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1499.004, which covers Server-Side Request Forgery, and T1595.001, which addresses Network Denial of Service, as the exploitation can result in service disruption through resource exhaustion. Security teams should also consider implementing XML schema validation and limiting the maximum size of XML documents processed to further reduce the attack surface and prevent potential exploitation scenarios.