Moderate severityNVD Advisory· Published Aug 1, 2024· Updated Nov 3, 2025

REXML DoS vulnerability

CVE-2024-41123

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

REXML gem before 3.3.2 has Denial of Service vulnerabilities when parsing XML with many specific characters like whitespace, '>]', and ']>'.

Vulnerability

Description

CVE-2024-41123 affects the REXML gem for Ruby, an XML toolkit used for parsing and manipulating XML documents. The vulnerability is a Denial of Service (DoS) issue present in versions prior to 3.3.2. The root cause lies in the XML parser's handling of certain character sequences; when parsing XML that contains a high volume of specific characters such as whitespace characters, >], or ]>, the parser can become overwhelmed, leading to excessive resource consumption [1][4].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted XML document containing a large number of the problematic character sequences to an application that uses REXML for parsing. The attack does not require authentication if the application accepts untrusted XML input. The malicious XML can be delivered through various vectors, such as file uploads, API requests, or any other means of XML data ingestion [4].

Impact

Successful exploitation results in a Denial of Service condition, where the application may become unresponsive or crash due to high CPU or memory usage. This can disrupt availability for legitimate users. The impact is limited to availability; there is no evidence of data leakage or remote code execution [1][4].

Mitigation

The vulnerability is fixed in REXML gem version 3.3.3 or later. Users are advised to update to the patched version immediately. The Ruby project also recommends avoiding parsing untrusted XML as a workaround if an immediate update is not possible [4]. The related issues are tracked under GHSA-4xqq-m2hx-25v8 and GHSA-vg3r-rm7w-2xgh [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rexmlRubyGems	< 3.3.3	3.3.3

Affected products

126

osv-coords125 versions
pkg:apk/chainguard/jruby-9.4 pkg:apk/chainguard/jruby-9.4-default-ruby pkg:apk/chainguard/kube-fluentd-operator pkg:apk/chainguard/kube-fluentd-operator-compat pkg:apk/chainguard/kube-fluentd-operator-default-config pkg:apk/chainguard/kube-fluentd-operator-oci-entrypoint pkg:apk/chainguard/logstash pkg:apk/chainguard/logstash-compat pkg:apk/chainguard/logstash-env2yaml pkg:apk/chainguard/logstash-jre-bcfips pkg:apk/chainguard/logstash-jre-bcfips-compat pkg:apk/chainguard/logstash-jre-bcfips-env2yaml pkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearch pkg:apk/chainguard/logstash-with-output-opensearch pkg:apk/chainguard/ruby-3.1 pkg:apk/chainguard/ruby-3.1-base pkg:apk/chainguard/ruby-3.1-base-dev pkg:apk/chainguard/ruby-3.1-dev pkg:apk/chainguard/ruby-3.1-doc pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby-3.2 pkg:apk/chainguard/ruby-3.2-base pkg:apk/chainguard/ruby-3.2-base-dev pkg:apk/chainguard/ruby-3.2-dev pkg:apk/chainguard/ruby-3.2-doc pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby-3.3 pkg:apk/chainguard/ruby-3.3-base pkg:apk/chainguard/ruby-3.3-base-dev pkg:apk/chainguard/ruby-3.3-dev pkg:apk/chainguard/ruby-3.3-doc pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/jruby-9.4 pkg:apk/wolfi/jruby-9.4-default-ruby pkg:apk/wolfi/kube-fluentd-operator pkg:apk/wolfi/kube-fluentd-operator-compat pkg:apk/wolfi/kube-fluentd-operator-default-config pkg:apk/wolfi/kube-fluentd-operator-oci-entrypoint pkg:apk/wolfi/logstash pkg:apk/wolfi/logstash-compat pkg:apk/wolfi/logstash-env2yaml pkg:apk/wolfi/logstash-with-output-opensearch pkg:apk/wolfi/ruby-3.1 pkg:apk/wolfi/ruby-3.1-base pkg:apk/wolfi/ruby-3.1-base-dev pkg:apk/wolfi/ruby-3.1-dev pkg:apk/wolfi/ruby-3.1-doc pkg:apk/wolfi/ruby3.1-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.1-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby-3.2 pkg:apk/wolfi/ruby-3.2-base pkg:apk/wolfi/ruby-3.2-base-dev pkg:apk/wolfi/ruby-3.2-dev pkg:apk/wolfi/ruby-3.2-doc pkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby-3.3 pkg:apk/wolfi/ruby-3.3-base pkg:apk/wolfi/ruby-3.3-base-dev pkg:apk/wolfi/ruby-3.3-dev pkg:apk/wolfi/ruby-3.3-doc pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.17-kinesis pkg:gem/rexml pkg:rpm/almalinux/pcs pkg:rpm/almalinux/pcs-snmp pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-bundled-gems pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-racc pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rbs pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygem-rexml pkg:rpm/almalinux/rubygem-rss pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-typeprof pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/rubygem-rexml&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.3 pkg:rpm/suse/rubygem-rexml&distro=SUSE%20Package%20Hub%2015%20SP6
< 9.4.9.0-r0+ 124 more
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 1.16.6.1.2-r1
- (no CPE)range: < 1.16.6.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 1.18.2-r14
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 3.3.4-r2
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 3.3.3
- (no CPE)range: < 0.10.18-2.el8_10.2.alma.1
- (no CPE)range: < 0.10.18-2.el8_10.2.alma.1
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 3.1.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 2.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.7.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 1.13.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 2.7.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 5.20.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 2.0.3-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 5.1.2-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 1.7.3-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 13.1.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.4.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 6.6.3.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.6-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.3.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.6.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.21.9-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.9-bp156.4.3.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 3.3.9-bp156.4.3.1
ruby/rexmlv5
Range: < 3.3.3

Patches

e4a067e11235

Add 3.3.3 entry

https://github.com/ruby/rexmlSutou KouheiAug 1, 2024via osv

commit

1 file changed · +34 −0

NEWS.md+34 −0 modified

@@ -1,5 +1,39 @@
 # News
 
+## 3.3.3 - 2024-08-01 {#version-3-3-3}
+
+### Improvements
+
+  * Added support for detecting invalid XML that has unsupported
+    content before root element
+    * GH-184
+    * Patch by NAITOH Jun.
+
+  * Added support for `REXML::Security.entity_expansion_limit=` and
+    `REXML::Security.entity_expansion_text_limit=` in SAX2 and pull
+    parsers
+    * GH-187
+    * Patch by NAITOH Jun.
+
+  * Added more tests for invalid XMLs.
+    * GH-183
+    * Patch by Watson.
+
+  * Added more performance tests.
+    * Patch by Watson.
+
+  * Improved parse performance.
+    * GH-186
+    * Patch by tomoya ishida.
+
+### Thanks
+
+  * NAITOH Jun
+
+  * Watson
+
+  * tomoya ishida
+
 ## 3.3.2 - 2024-07-16 {#version-3-3-2}
 
 ### Improvements

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r55c-59qm-vjw6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-41123ghsaADVISORY
github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8ghsax_refsource_MISCWEB
github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6ghsax_refsource_CONFIRMWEB
github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xghghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41123.ymlghsaWEB
lists.debian.org/debian-lts-announce/2025/01/msg00011.htmlghsaWEB
security.netapp.com/advisory/ntap-20241227-0005ghsaWEB
www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000