DeviceKit icon indicating copy to clipboard operation
DeviceKit copied to clipboard
verified publisher icon devicekit

Upgrade REXML gem to 3.3.6 to fix DoS vulnerability (CVE-2024-43398)

Open yuzhongqi opened this issue 4 months ago • 0 comments

Description

Summary The REXML gem versions prior to 3.3.6 contain a Denial of Service (DoS) vulnerability when parsing deeply nested XML documents that have elements with the same local name attributes.

Impact Applications using REXML::Document.new (tree parser API) to parse untrusted XML input may consume excessive memory and CPU, potentially leading to application hangs or crashes. Projects that only use the stream or SAX2 parser APIs are not affected.

Affected Component /output/SourcePackages/checkouts/DeviceKit/Gemfile.lock Detected version: rexml 3.2.5

Fix / Recommendation Upgrade the rexml gem to version 3.3.6 or later to include the official patch.

Workaround If immediate upgrade is not possible, avoid parsing untrusted XML data using the tree parser API (REXML::Document.new).

References Ruby security advisory: https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/

yuzhongqi avatar Nov 10 '25 05:11 yuzhongqi