7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-49761

GHSA ID

GHSA-2rxp-v6pw-ch6m

EPSS Score

0.6377%

CWE

CWE-1333

Published

10/28/2024

Updated

12/27/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-49761

CVE-2024-49761: REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-49761

GHSA ID

GHSA-2rxp-v6pw-ch6m

EPSS Score

0.6377%

CWE

CWE-1333

Published

10/28/2024

Updated

12/27/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rexml	rubygems	< 3.3.9	3.3.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the CHARACTER_REFERENCES regex pattern in baseparser.rb, which originally contained '0*' allowing arbitrary leading zeros in hex character references (&#x000...;). This created an inefficient regex that could be exploited for ReDoS. The unnormalize method executes this regex via gsub!, making it the entry point for processing malicious inputs. The commit patched both the regex pattern and the subsequent parsing logic, confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** R*XML **m ***or* *.*.* **s * R**oS vuln*r**ility w**n it p*rs*s *n XML t**t **s m*ny *i*its **tw**n `&#` *n* `x...;` in * **x num*ri* ***r**t*r r***r*n** (`&#x...;`). T*is *o*s not **pp*n wit* Ru*y *.* or l*t*r. Ru*y *.* is t** only

Reasoning

T** vuln*r**ility st*ms *rom t** `***R**T*R_R***R*N**S` r***x p*tt*rn in `**s*p*rs*r.r*`, w*i** ori*in*lly *ont*in** '**' *llowin* *r*itr*ry l***in* z*ros in **x ***r**t*r r***r*n**s (&#x***...;). T*is *r**t** *n in***i*i*nt r***x t**t *oul* ** *xplo

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-49761: REXML ReDoS vulnerability

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI