Moderate severityNVD Advisory· Published Jul 16, 2024· Updated Nov 3, 2025

Denial of service in REXML

CVE-2024-39908

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

REXML gem before 3.3.1 has denial-of-service vulnerabilities when parsing XML with many specific characters, fixed in 3.3.2.

CVE-2024-39908 describes multiple denial-of-service (DoS) vulnerabilities in the REXML XML toolkit for Ruby, affecting versions prior to 3.3.1 [1]. The root cause involves inefficient handling of XML input containing a high volume of specific characters such as <, 0, and %>, which can lead to excessive resource consumption during parsing [1][4].

An attacker can exploit these vulnerabilities by providing a crafted XML document containing many of the problematic characters to an application that parses untrusted XML using REXML. No authentication or special network position is required beyond the ability to supply the malicious XML input, making the attack surface broad for services that accept user-supplied XML [1].

Successful exploitation could cause the parsing process to consume excessive CPU or memory, leading to a denial-of-service condition that may impact the availability of the affected service. The vulnerabilities do not appear to allow code execution or data exfiltration, as the impact is limited to resource exhaustion [1].

The REXML gem version 3.3.2 (and later) includes patches to address these DoS vulnerabilities. Users are strongly advised to upgrade to at least version 3.3.2 [1][4]. For those unable to upgrade, the only recommended mitigation is to avoid parsing untrusted XML strings entirely [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rexmlRubyGems	< 3.3.2	3.3.2

Affected products

126

osv-coords125 versions
pkg:apk/chainguard/jruby-9.4 pkg:apk/chainguard/jruby-9.4-default-ruby pkg:apk/chainguard/kube-fluentd-operator pkg:apk/chainguard/kube-fluentd-operator-compat pkg:apk/chainguard/kube-fluentd-operator-default-config pkg:apk/chainguard/kube-fluentd-operator-oci-entrypoint pkg:apk/chainguard/logstash pkg:apk/chainguard/logstash-compat pkg:apk/chainguard/logstash-env2yaml pkg:apk/chainguard/logstash-jre-bcfips pkg:apk/chainguard/logstash-jre-bcfips-compat pkg:apk/chainguard/logstash-jre-bcfips-env2yaml pkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearch pkg:apk/chainguard/logstash-with-output-opensearch pkg:apk/chainguard/ruby-3.1 pkg:apk/chainguard/ruby-3.1-base pkg:apk/chainguard/ruby-3.1-base-dev pkg:apk/chainguard/ruby-3.1-dev pkg:apk/chainguard/ruby-3.1-doc pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby-3.2 pkg:apk/chainguard/ruby-3.2-base pkg:apk/chainguard/ruby-3.2-base-dev pkg:apk/chainguard/ruby-3.2-dev pkg:apk/chainguard/ruby-3.2-doc pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby3.2-rexml pkg:apk/chainguard/ruby-3.3 pkg:apk/chainguard/ruby-3.3-base pkg:apk/chainguard/ruby-3.3-base-dev pkg:apk/chainguard/ruby-3.3-dev pkg:apk/chainguard/ruby-3.3-doc pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/jruby-9.4 pkg:apk/wolfi/jruby-9.4-default-ruby pkg:apk/wolfi/kube-fluentd-operator pkg:apk/wolfi/kube-fluentd-operator-compat pkg:apk/wolfi/kube-fluentd-operator-default-config pkg:apk/wolfi/kube-fluentd-operator-oci-entrypoint pkg:apk/wolfi/logstash pkg:apk/wolfi/logstash-compat pkg:apk/wolfi/logstash-env2yaml pkg:apk/wolfi/logstash-with-output-opensearch pkg:apk/wolfi/ruby-3.1 pkg:apk/wolfi/ruby-3.1-base pkg:apk/wolfi/ruby-3.1-base-dev pkg:apk/wolfi/ruby-3.1-dev pkg:apk/wolfi/ruby-3.1-doc pkg:apk/wolfi/ruby3.1-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.1-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby-3.2 pkg:apk/wolfi/ruby-3.2-base pkg:apk/wolfi/ruby-3.2-base-dev pkg:apk/wolfi/ruby-3.2-dev pkg:apk/wolfi/ruby-3.2-doc pkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby3.2-rexml pkg:apk/wolfi/ruby-3.3 pkg:apk/wolfi/ruby-3.3-base pkg:apk/wolfi/ruby-3.3-base-dev pkg:apk/wolfi/ruby-3.3-dev pkg:apk/wolfi/ruby-3.3-doc pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.17-kinesis pkg:gem/rexml pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-bundled-gems pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-racc pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rbs pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygem-rexml pkg:rpm/almalinux/rubygem-rss pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-typeprof pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/rubygem-rexml&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.3 pkg:rpm/suse/rubygem-rexml&distro=SUSE%20Package%20Hub%2015%20SP6
< 9.4.9.0-r0+ 124 more
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 1.16.6.1.2-r1
- (no CPE)range: < 1.16.6.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.3.2-r0
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 1.18.2-r13
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 3.2.4-r6
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.3.2-r0
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 3.3.4-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 3.3.2
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 3.1.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 2.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.7.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 1.13.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 2.7.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 5.20.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 2.0.3-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 5.1.2-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 1.7.3-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 13.1.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.4.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 6.6.3.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.6-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.3.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.6.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.21.9-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.9-bp156.4.3.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 3.3.9-bp156.4.3.1
ruby/rexmlv5
Range: < 3.3.2

Patches

2b285ac0804f

https://github.com/ruby/rexmlvia osv

commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4xqq-m2hx-25v8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-39908ghsaADVISORY
github.com/ruby/rexml/releases/tag/v3.3.2ghsaWEB
github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8ghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-39908.ymlghsaWEB
lists.debian.org/debian-lts-announce/2025/01/msg00011.htmlghsaWEB
security.netapp.com/advisory/ntap-20250117-0008ghsaWEB
www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.007
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000