Introduction: If you are using the REXML XML toolkit in your Ruby applications, it's critical to be aware of a known ReDoS (Regular Expression Denial of Service) vulnerability that affects REXML gem versions before 3.3.9. This vulnerability occurs when an XML file contains many digits between &# and x...; in a hex numeric character reference (&#x...;). Ruby 3.1 is the only affected Ruby version in the maintained Ruby series. The vulnerability has been patched in REXML gem 3.3.9 and later versions.

Exploit Details: The ReDoS vulnerability is a form of denial-of-service attack that targets the efficiency of regular expression parsing. The attacker crafts malicious input to induce worst-case processing time in the targeted regular expression, resulting in an excessive load on the application and delaying other processing tasks.

The issue arose when REXML gem, an XML toolkit in Ruby, parsed XML files containing numerous digits between &# and x...; in a hex numeric character reference (&#x...;). The affected REXML versions before 3.3.9 took a substantial amount of time to parse such XML files, causing ReDoS.

The good news is that Ruby 3.2 and later versions aren't affected by this vulnerability. If you are using Ruby 3.1, it is strongly recommended to update the REXML gem to version 3.3.9 or later, as these versions include the necessary patch.

Code Snippet: To demonstrate the vulnerability, we will use the following XML file as an example

<?xml version="1."?>
<root>
  <node>&#x303030303030303030303030303030303030303030303030303...;</node>
</root>

The hex numeric character reference (&#x...;) contains a large number of digits, causing the ReDoS when parsed by the REXML gem in Ruby 3.1. By updating the REXML gem to version 3.3.9 or later, you can eliminate the vulnerability.

Update REXML Gem: To update the REXML gem, use the following command

gem install rexml

This will install the latest version of the REXML gem, which includes the patch for the ReDoS vulnerability.

Original References: You can find more details about the vulnerability and the affected versions in the following resources:

1. CVE (Common Vulnerabilities and Exposures) Entry: CVE-2024-49761
2. Ruby Official Security Advisory: ReDoS Vulnerability in REXML

Conclusion: If you are using Ruby 3.1 and REXML gem versions before 3.3.9, it's essential to take action immediately to address the ReDoS vulnerability. Update your REXML gem to the latest version (3.3.9 or later) to protect your Ruby applications from potential denial-of-service attacks. By staying informed and vigilant about vulnerabilities in software dependencies, you can significantly enhance your application security.

Timeline

Published on: 10/28/2024 15:15:05 UTC
Last modified on: 12/27/2024 16:15:24 UTC