Miggo Logo
Miggo Vulnerability Database
CVE-2024-35176

CVE-2024-35176: REXML contains a denial of service vulnerability

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-35176
GHSA ID
GHSA-vg3r-rm7w-2xgh
EPSS Score
0.87234%
CWE
CWE-400
Published
5/16/2024
Updated
3/7/2025
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
rexmlrubygems< 3.2.73.2.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inefficient parsing of quoted attribute values. The pre-patch code in baseparser.rb used a regex that required scanning the entire attribute value at once (.*? pattern), which becomes exponentially slower with many consecutive special characters. The commit replaced this with chunked reading via read_until, demonstrating the vulnerable pattern was in the regex-based attribute value extraction. The Source class modifications adding read_until and modifying read() show the original I/O handling contributed to the resource exhaustion issue. The added performance test validates the quadratic complexity problem in attribute parsing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** R*XML **m ***or* *.*.* **s * *oS vuln*r**ility w**n it p*rs*s *n XML t**t **s m*ny `<`s in *n *ttri*ut* v*lu*. I* you n*** to p*rs* untrust** XMLs, you m*y ** imp**t** to t*is vuln*r**ility. ### P*t***s T** R*XML **m *.*.* or l*t*r

Reasoning

T** vuln*r**ility st*ms *rom in***i*i*nt p*rsin* o* quot** *ttri*ut* v*lu*s. T** pr*-p*t** *o** in **s*p*rs*r.r* us** * r***x t**t r*quir** s**nnin* t** *ntir* *ttri*ut* v*lu* *t on** (.*? p*tt*rn), w*i** ***om*s *xpon*nti*lly slow*r wit* m*ny *ons**