Version 3.3.9

rexml

An XML toolkit for Ruby

Install Instructions

gem install rexml

Current Version Release Date December 15, 2024

Language Ruby

Package URL (purl) pkg:gem/rexml@3.3.9

Find rexml vulnerabilities in your supply chain.

Scan for Free

rexml Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2024-35176	Medium 5.3	CWE-770, CWE-400	0.00045	0.1741	3.1.7.3–3.2.6
CVE-2024-39908	Medium 4.3	CWE-400	0.00043	0.1094	3.1.7.3–3.3.1
CVE-2024-41123	Medium 5.3	CWE-400	0.00056	0.25468	3.1.7.3–3.3.2
CVE-2024-41946	High 7.5	CWE-400	0.00056	0.25468	3.1.7.3–3.3.2
CVE-2024-43398	Medium 5.9	CWE-776	0.00043	0.1094	3.1.7.3–3.3.5
CVE-2024-49761	High 7.5	CWE-1333	0.00053	0.23477	3.1.7.3–3.3.8
CVE-2021-28965	High 7.5	CWE-611	0.00083	0.37276	3.1.7.3–3.2.4

rexml Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2024-49761	REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.	3.2.5, 3.3.8, 3.3.7, 3.3.6, 3.2.8, 3.3.1, 3.3.2, 3.3.4 (Show all)	Minor → 3.3.9
CVE-2024-43398	REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.	3.2.5, 3.2.8, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.3, 3.1.9.1 (Show all)	Minor → 3.3.9
CVE-2024-41946	REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.	3.2.5, 3.2.8, 3.3.1, 3.3.2, 3.1.9.1, 3.1.9, 3.2.6, 3.3.0 (Show all)	Minor → 3.3.9
CVE-2024-41123	REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.	3.2.5, 3.2.8, 3.3.1, 3.3.2, 3.1.9.1, 3.1.9, 3.2.6, 3.3.0 (Show all)	Minor → 3.3.9
CVE-2024-39908	REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.	3.2.5, 3.2.8, 3.3.1, 3.1.9.1, 3.1.9, 3.2.6, 3.3.0, 3.2.9 (Show all)	Minor → 3.3.9
CVE-2024-35176	REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.	3.2.5, 3.1.9.1, 3.1.9, 3.2.6, 3.2.3, 3.2.4, 3.2.0, 3.2.2 , 3.2.1, 3.1.8, 3.1.7.3 (Show all)	Minor → 3.3.9
CVE-2021-28965	The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.	3.1.9.1, 3.1.9, 3.2.3, 3.2.4, 3.2.0, 3.2.2, 3.2.1, 3.1.8 , 3.1.7.3 (Show all)	Patch → 3.3.9

Instantly see if these rexml vulnerabilities affect your code.

Scan for Free