Upgrade REXML gem to 3.3.6 to fix DoS vulnerability (CVE-2024-43398) #468
Description
Description
Summary
The REXML gem versions prior to 3.3.6 contain a Denial of Service (DoS) vulnerability when parsing deeply nested XML documents that have elements with the same local name attributes.
Impact
Applications using REXML::Document.new (tree parser API) to parse untrusted XML input may consume excessive memory and CPU, potentially leading to application hangs or crashes.
Projects that only use the stream or SAX2 parser APIs are not affected.
Affected Component
/output/SourcePackages/checkouts/DeviceKit/Gemfile.lock
Detected version: rexml 3.2.5
Fix / Recommendation
Upgrade the rexml gem to version 3.3.6 or later to include the official patch.
Workaround
If immediate upgrade is not possible, avoid parsing untrusted XML data using the tree parser API (REXML::Document.new).
References
Ruby security advisory: https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/