4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39908

GHSA ID

GHSA-4xqq-m2hx-25v8

EPSS Score

0.86581%

CWE

CWE-400

Published

7/16/2024

Updated

1/17/2025

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39908

CVE-2024-39908: REXML denial of service vulnerability

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-39908

CVE-2024-39908:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39908

GHSA ID

GHSA-4xqq-m2hx-25v8

EPSS Score

0.86581%

CWE

CWE-400

Published

7/16/2024

Updated

1/17/2025

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rexml	rubygems	< 3.3.2	3.3.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inefficient processing of specific character patterns in XML parsing. While exact function names aren't explicitly disclosed in the advisory, the SAX2 parser (mentioned in release notes) and document parsing entry points are primary candidates given their role in XML processing. The medium confidence reflects the lack of direct commit/diff evidence, but aligns with: 1) The CWE-400 resource consumption pattern 2) SAX2 parser fixes mentioned in v3.3.2 release notes 3) Historical precedent in similar REXML vulnerabilities involving parsing loops.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-39908: REXML denial of service vulnerability

Impact

Patches

Workarounds

References

CVE-2024-39908:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

4.3

4.3

CVE-2024-39908: REXML denial of service vulnerability

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI