CVE-2024-35176: REXML contains a denial of service vulnerability
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.87234%
CWE
Published
5/16/2024
Updated
3/7/2025
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rexml | rubygems | < 3.2.7 | 3.2.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from inefficient parsing of quoted attribute values. The pre-patch code in baseparser.rb used a regex that required scanning the entire attribute value at once (.*? pattern), which becomes exponentially slower with many consecutive special characters. The commit replaced this with chunked reading via read_until, demonstrating the vulnerable pattern was in the regex-based attribute value extraction. The Source class modifications adding read_until and modifying read() show the original I/O handling contributed to the resource exhaustion issue. The added performance test validates the quadratic complexity problem in attribute parsing.