CVE-2024-49761 - ReDoS Vulnerability in REXML Gem <3.3.9 – How a Simple XML Can Break Your Ruby App

If you use Ruby, especially with XML data, this post is important for you. Recently, a critical vulnerability—CVE-2024-49761—was discovered in the popular XML parsing gem, REXML. Let’s see how it works, what it means for your applications, how to exploit it, and how to protect yourself.

What is CVE-2024-49761?

REXML is one of the default XML parsers for Ruby, powering everything from web APIs to configuration files. In versions before 3.3.9, REXML has a _ReDoS_ (Regular Expression Denial of Service) vulnerability: when parsing a specially-crafted XML with many digits inside a hexadecimal character reference (&#x...;), the XML processing can consume huge amounts of CPU, freezing your app.

Type: ReDoS (Regular Expression Denial of Service)

- CVE Reference: CVE-2024-49761 on GitHub Advisory Database

Why Does This Happen?

When REXML parses a value like &#x...; (which is supposed to decode to a character), it uses a regular expression to pull out the value. If there are _a lot_ of digits between #x and ; the regex gets bogged down, taking a very long time to process.

For example

<!-- This is a normal hexadecimal character reference -->
<foo>&#x41;</foo> <!-- Decodes to 'A' -->

<!-- This is a malicious one that triggers the ReDoS -->
<foo>&#x1111111111111111111111111111111111111111111111111111111111111111;</foo>

The regular expression inside REXML gets stuck processing the long string of numbers, and Ruby's single-threaded execution makes your app totally unresponsive.

Suppose you have a simple Ruby script that parses incoming XML

require 'rexml/document'

xml = <<~XML
  <root>
    <foo>&#x#{'1' * 100_000};</foo>
  </root>
XML

doc = REXML::Document.new(xml)
puts doc.elements['root/foo'].text

If you run this on Ruby 3.1 with REXML < 3.3.9, your program will hang for a very long time or may exhaust your CPU. This is exactly what an attacker could use to take down a web service—just a single malicious XML input!

gem install rexml

  Or update your Gemfile:
  

ruby

gem 'rexml', '>= 3.3.9'

- Bundle update:  
  

sh

bundle update rexml

`

- Upgrade Ruby: If possible, upgrade to Ruby 3.2 or newer, as this problem is fixed regardless of REXML version.

---

## Full References

- GitHub Advisory: GHSA-7cwx-g3qg-h63p
- Original REXML fix PR
- REXML 3.3.9 Release Notes
- CVE-2024-49761 on NVD

---

## Quick Summary

- CVE-2024-49761 hits REXML <3.3.9, mostly on Ruby 3.1.
- The bug is a “ReDoS” – it lets attackers freeze your app with bad XML.
- Fix it by upgrading to REXML >= 3.3.9 (or upgrade Ruby 3.2+).
- This is a low effort, high impact issue—update now!

_Feel free to share or link to this post if you need a simple explanation for your team or security review. Stay safe!_

Timeline

Published on: 10/28/2024 15:15:05 UTC
Last modified on: 12/27/2024 16:15:24 UTC