What is CVE-2024-49761?

CVE-2024-49761 is a vulnerability in Ruby Rexml, classified under Inefficient Regular Expression Complexity. Published 2024-10-28.

Is CVE-2024-49761 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Ruby Rexml

CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or la…

Vulnerability class: ReDoS (Regular Expression Denial of Service)

EPSS: 0.016 (82.3th percentile) — read the EPSS interpretation.

Affected products

Ruby Rexml — versions < 3.3.9

Weakness classification (CWE)

CWE-1333 — Inefficient Regular Expression Complexity

Public proof-of-concept exploits

References

https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m (x_refsource_CONFIRM)
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f (x_refsource_MISC)
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-49761?: CVE-2024-49761 is a vulnerability in Ruby Rexml, classified under Inefficient Regular Expression Complexity. Published 2024-10-28.
Is CVE-2024-49761 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.