High severityNVD Advisory· Published Aug 22, 2024· Updated Nov 3, 2025

REXML denial of service vulnerability

CVE-2024-43398

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

REXML gem before 3.3.6 has a denial-of-service vulnerability via XML with many deep elements sharing local name attributes when using tree parser API.

Vulnerability

Description

The REXML gem for Ruby, versions prior to 3.3.6, contains a denial-of-service (DoS) vulnerability triggered during parsing of specially crafted XML documents. The issue occurs in the tree parser API (e.g., REXML::Document.new) when the input XML contains deeply nested elements that share the same local name attributes [1][2]. The parsing process becomes excessively slow due to an inefficient check for conflicting namespaces, leading to a denial-of-service condition.

Attack

Vector and Exploitation

An attacker can craft an XML payload with numerous deep elements having identical local name attributes. When a vulnerable application uses the tree parser API to parse untrusted XML, the parsing operation consumes excessive CPU resources, effectively causing a denial of service [1]. The vulnerability does not affect stream parser API or SAX2 parser API [1]. No authentication is required; the attacker only needs to provide the malicious XML to the parsing routine.

Impact

Successful exploitation results in high CPU consumption, potentially rendering the affected service unresponsive or causing a complete denial of service. The impact is limited to availability; there is no evidence of data leakage or code execution.

Mitigation

The vulnerability is fixed in REXML gem version 3.3.6 and later [1][2]. Users are advised to upgrade immediately. If upgrading is not possible, applications can mitigate by using alternative parser APIs (stream or SAX2) that are not affected [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rexmlRubyGems	< 3.3.6	3.3.6

Affected products

128

osv-coords127 versions
pkg:apk/chainguard/jruby-9.4 pkg:apk/chainguard/jruby-9.4-default-ruby pkg:apk/chainguard/kube-fluentd-operator pkg:apk/chainguard/kube-fluentd-operator-compat pkg:apk/chainguard/kube-fluentd-operator-default-config pkg:apk/chainguard/kube-fluentd-operator-oci-entrypoint pkg:apk/chainguard/logstash pkg:apk/chainguard/logstash-compat pkg:apk/chainguard/logstash-env2yaml pkg:apk/chainguard/logstash-jre-bcfips pkg:apk/chainguard/logstash-jre-bcfips-compat pkg:apk/chainguard/logstash-jre-bcfips-env2yaml pkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearch pkg:apk/chainguard/logstash-with-output-opensearch pkg:apk/chainguard/ruby-3.1 pkg:apk/chainguard/ruby-3.1-base pkg:apk/chainguard/ruby-3.1-base-dev pkg:apk/chainguard/ruby-3.1-dev pkg:apk/chainguard/ruby-3.1-doc pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.1-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby-3.2 pkg:apk/chainguard/ruby-3.2-base pkg:apk/chainguard/ruby-3.2-base-dev pkg:apk/chainguard/ruby-3.2-dev pkg:apk/chainguard/ruby-3.2-doc pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.2-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby3.2-rexml pkg:apk/chainguard/ruby-3.3 pkg:apk/chainguard/ruby-3.3-base pkg:apk/chainguard/ruby-3.3-base-dev pkg:apk/chainguard/ruby-3.3-dev pkg:apk/chainguard/ruby-3.3-doc pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.3-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16 pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.16-kinesis pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.17 pkg:apk/chainguard/ruby3.4-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/jruby-9.4 pkg:apk/wolfi/jruby-9.4-default-ruby pkg:apk/wolfi/kube-fluentd-operator pkg:apk/wolfi/kube-fluentd-operator-compat pkg:apk/wolfi/kube-fluentd-operator-default-config pkg:apk/wolfi/kube-fluentd-operator-oci-entrypoint pkg:apk/wolfi/logstash pkg:apk/wolfi/logstash-compat pkg:apk/wolfi/logstash-env2yaml pkg:apk/wolfi/logstash-with-output-opensearch pkg:apk/wolfi/ruby-3.1 pkg:apk/wolfi/ruby-3.1-base pkg:apk/wolfi/ruby-3.1-base-dev pkg:apk/wolfi/ruby-3.1-dev pkg:apk/wolfi/ruby-3.1-doc pkg:apk/wolfi/ruby3.1-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.1-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby-3.2 pkg:apk/wolfi/ruby-3.2-base pkg:apk/wolfi/ruby-3.2-base-dev pkg:apk/wolfi/ruby-3.2-dev pkg:apk/wolfi/ruby-3.2-doc pkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.2-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby3.2-rexml pkg:apk/wolfi/ruby-3.3 pkg:apk/wolfi/ruby-3.3-base pkg:apk/wolfi/ruby-3.3-base-dev pkg:apk/wolfi/ruby-3.3-dev pkg:apk/wolfi/ruby-3.3-doc pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.3-fluentd-kubernetes-daemonset-1.17-kinesis pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.17 pkg:apk/wolfi/ruby3.4-fluentd-kubernetes-daemonset-1.17-kinesis pkg:gem/rexml pkg:rpm/almalinux/pcs pkg:rpm/almalinux/pcs-snmp pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-bundled-gems pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-racc pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rbs pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygem-rexml pkg:rpm/almalinux/rubygem-rss pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-typeprof pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/rubygem-rexml&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.3 pkg:rpm/suse/rubygem-rexml&distro=SUSE%20Package%20Hub%2015%20SP6
< 9.4.9.0-r0+ 126 more
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 1.16.6.1.2-r1
- (no CPE)range: < 1.16.6.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.3.6-r0
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.16.6.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 9.4.9.0-r0
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 1.18.2-r15
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 8.15.0-r2
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 3.1.6-r3
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 3.2.5-r2
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 3.3.6-r0
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 3.3.4-r3
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r1
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 1.17.1.1.2-r2
- (no CPE)range: < 3.3.6
- (no CPE)range: < 0.10.18-2.el8_10.2.alma.1
- (no CPE)range: < 0.10.18-2.el8_10.2.alma.1
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 3.1.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 2.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.7.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 1.13.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 2.7.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 5.20.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 2.0.3-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 5.1.2-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 1.7.3-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 13.1.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.4.0-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 6.6.3.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.6-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.3.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.5.16-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.6.1-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 0.21.9-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.5-3.module_el8.10.0+3894+6d587c81
- (no CPE)range: < 3.3.9-bp156.4.3.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 2.5.9-150000.4.32.1
- (no CPE)range: < 3.3.9-bp156.4.3.1
ruby/rexmlv5
Range: < 3.3.6

Patches

7cb5eaeb221c

parser tree: improve namespace conflicted attribute check performance

https://github.com/ruby/rexmlSutou KouheiAug 17, 2024via ghsa

commit

4 files changed · +33 −11

lib/rexml/element.rb+0 −11 modified

@@ -2384,17 +2384,6 @@ def []=( name, value )
       elsif old_attr.kind_of? Hash
         old_attr[value.prefix] = value
       elsif old_attr.prefix != value.prefix
-        # Check for conflicting namespaces
-        if value.prefix != "xmlns" and old_attr.prefix != "xmlns"
-          old_namespace = old_attr.namespace
-          new_namespace = value.namespace
-          if old_namespace == new_namespace
-            raise ParseException.new(
-                    "Namespace conflict in adding attribute \"#{value.name}\": "+
-                    "Prefix \"#{old_attr.prefix}\" = \"#{old_namespace}\" and "+
-                    "prefix \"#{value.prefix}\" = \"#{new_namespace}\"")
-          end
-        end
         store value.name, {old_attr.prefix => old_attr,
                            value.prefix    => value}
       else

lib/rexml/parsers/baseparser.rb+15 −0 modified

@@ -754,6 +754,7 @@ def process_instruction
 
       def parse_attributes(prefixes)
         attributes = {}
+        expanded_names = {}
         closed = false
         while true
           if @source.match(">", true)
@@ -805,6 +806,20 @@ def parse_attributes(prefixes)
               raise REXML::ParseException.new(msg, @source, self)
             end
 
+            unless prefix == "xmlns"
+              uri = @namespaces[prefix]
+              expanded_name = [uri, local_part]
+              existing_prefix = expanded_names[expanded_name]
+              if existing_prefix
+                message = "Namespace conflict in adding attribute " +
+                          "\"#{local_part}\": " +
+                          "Prefix \"#{existing_prefix}\" = \"#{uri}\" and " +
+                          "prefix \"#{prefix}\" = \"#{uri}\""
+                raise REXML::ParseException.new(message, @source, self)
+              end
+              expanded_names[expanded_name] = prefix
+            end
+
             attributes[name] = value
           else
             message = "Invalid attribute name: <#{@source.buffer.split(%r{[/>\s]}).first}>"

test/parse/test_element.rb+14 −0 modified

@@ -131,5 +131,19 @@ def test_linear_performance_attribute_value_gt
         REXML::Document.new('<test testing="' + ">" * n + '"></test>')
       end
     end
+
+    def test_linear_performance_deep_same_name_attributes
+      seq = [100, 500, 1000, 1500, 2000]
+      assert_linear_performance(seq, rehearsal: 10) do |n|
+        xml = <<-XML
+<?xml version="1.0"?>
+<root xmlns:ns="ns-uri">
+#{"<x ns:name='ns-value' name='value'>\n" * n}
+#{"</x>\n" * n}
+</root>
+        XML
+        REXML::Document.new(xml)
+      end
+    end
   end
 end

test/test_core.rb+4 −0 modified

@@ -136,6 +136,10 @@ def test_attribute_namespace_conflict
       # https://www.w3.org/TR/xml-names/#uniqAttrs
       message = <<-MESSAGE.chomp
 Namespace conflict in adding attribute "a": Prefix "n1" = "http://www.w3.org" and prefix "n2" = "http://www.w3.org"
+Line: 4
+Position: 140
+Last 80 unconsumed characters:
+/>
       MESSAGE
       assert_raise(REXML::ParseException.new(message)) do
         Document.new(<<-XML)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vmwr-mc7x-5vc3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-43398ghsaADVISORY
github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3ghsaWEB
github.com/ruby/rexml/releases/tag/v3.3.6ghsax_refsource_MISCWEB
github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3ghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.ymlghsaWEB
lists.debian.org/debian-lts-announce/2025/01/msg00011.htmlghsaWEB
security.netapp.com/advisory/ntap-20250103-0006ghsaWEB
www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000