<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>CVE-2024-41946: DoS vulnerability in REXML</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta itemprop="image" content="https://www.ruby-lang.org/images/header-ruby-logo@2x.png"> <meta name="description" content=""> <link rel="stylesheet" type="text/css" href="/stylesheets/normalize.css"> <link rel="stylesheet" type="text/css" href="/stylesheets/main.css"> <link rel="stylesheet" type="text/css" href="/stylesheets/pygments.css"> <link rel="stylesheet" type="text/css" href="/stylesheets/mobile.css"> <link rel="stylesheet" type="text/css" href="/stylesheets/print.css"> <link href='https://fonts.googleapis.com/css?family=Noto+Sans:400,700,400italic,700italic&amp;subset=latin,cyrillic,greek,vietnamese' rel='stylesheet' type='text/css'> <link rel="canonical" href="https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/"> <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico"> <link href="/en/feeds/news.rss" rel="alternate" title="Recent News (RSS)" type="application/rss+xml"> <script type="text/javascript" src="/javascripts/jquery.min.js"></script> <script type="text/javascript" src="/javascripts/page.js"></script> </head> <body> <div id="header"> <div id="header_content" class="container"> <a href="/en/"> <h1>Ruby</h1> <h2>A Programmer's Best Friend</h2> </a> <div class="site-links"> <a href="/en/" class="home">Home</a> <a href="/en/downloads/">Downloads</a> <a href="/en/documentation/">Documentation</a> <a href="/en/libraries/">Libraries</a> <a href="/en/community/">Community</a> <a href="/en/news/">News</a> <a href="/en/security/">Security</a> <a href="/en/about/">About Ruby</a> <a href="#" class="menu selected">Menu</a> </div> <div id="search-box"> <form id="search-form" action="https://www.google.com/cse"> <table class="fieldset"> <tr> <td> <input class="field" type="text" name="q" size="31" style="background: white url(//www.google.com/coop/intl/en/images/google_custom_search_watermark.gif) left no-repeat" onfocus="this.style.background='white'" onblur="if (/^\s*$/.test(this.value)) this.style.background='white url(//www.google.com/coop/intl/en/images/google_custom_search_watermark.gif) left no-repeat'"/> </td> <td> <input type="hidden" name="cx" value="013598269713424429640:g5orptiw95w" /> <input type="hidden" name="ie" value="UTF-8" /> <input class="button" type="submit" name="sa" value="Search" /> </td> </tr> </table> </form> </div> </div> </div> <div id="page"> <div id="main-wrapper" class="container"> <div id="main"> <div id="content-wrapper"> <h1>CVE-2024-41946: DoS vulnerability in REXML</h1> <div id="content"> <p class="post-info">Posted by kou on 1 Aug 2024</p> <p>There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-41946">CVE-2024-41946</a>. We strongly recommend upgrading the REXML gem.</p> <h2>Details</h2> <p>When parsing an XML that has many entity expansions with SAX2 or pull parser API, REXML gem may take long time.</p> <p>Please update REXML gem to version 3.3.3 or later.</p> <h2>Affected versions</h2> <ul> <li>REXML gem 3.3.2 or prior</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://github.com/naitoh">NAITOH Jun</a> for discovering and fixing this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-08-01 03:00:00 (UTC)</li> </ul> </div> </div> <hr class="hidden-modern" /> <div id="sidebar-wrapper"> <div id="sidebar"> <div class="navigation"> <h3><strong>Recent News</strong></h3> <ul class="menu"> <li><a href="/en/news/2024/11/05/ruby-3-3-6-released/">Ruby 3.3.6 Released</a></li> <li><a href="/en/news/2024/10/30/ruby-3-2-6-released/">Ruby 3.2.6 Released</a></li> <li><a href="/en/news/2024/10/28/redos-rexml-cve-2024-49761/">CVE-2024-49761: ReDoS vulnerability in REXML</a></li> <li><a href="/en/news/2024/10/07/ruby-3-4-0-preview2-released/">Ruby 3.4.0 preview2 Released</a></li> <li><a href="/en/news/2024/09/03/3-3-5-released/">Ruby 3.3.5 Released</a></li> </ul> </div> <h3>Syndicate</h3> <p><a href="/en/feeds/news.rss">Recent News (RSS)</a></p> </div> </div> <hr class="hidden-modern" /> </div> </div> </div> <div class="container"> <div id="footer"> <div class="site-links"> <a href="/en/" class="home">Home</a> <a href="/en/downloads/">Downloads</a> <a href="/en/documentation/">Documentation</a> <a href="/en/libraries/">Libraries</a> <a href="/en/community/">Community</a> <a href="/en/news/">News</a> <a href="/en/security/">Security</a> <a href="/en/about/">About Ruby</a> </div> <p> This site in other languages: <a href="/bg/">Български</a>, <a href="/de/">Deutsch</a>, <a href="/en/">English</a>, <a href="/es/">Español</a>, <a href="/fr/">Français</a>, <a href="/id/">Bahasa Indonesia</a>, <a href="/it/">Italiano</a>, <a href="/ja/">日本語</a>, <a href="/ko/">한국어</a>, <a href="/pl/">polski</a>, <a href="/pt/">Português</a>, <a href="/ru/">Русский</a>, <a href="/tr/">Türkçe</a>, <a href="/vi/">Tiếng Việt</a>, <a href="/zh_cn/">简体中文</a>, <a href="/zh_tw/">繁體中文</a>. </p> <p><a href="/en/about/website/">This website</a> is proudly maintained by members of the Ruby community.</p> </div> </div> </body> </html>