CVE-2024-41946
📋 TL;DR
CVE-2024-41946 is a denial-of-service vulnerability in REXML, Ruby's XML toolkit, where parsing XML with many entity expansions via SAX2 or pull parser APIs causes excessive resource consumption. This affects Ruby applications using REXML gem version 3.3.2 or earlier. Attackers can crash or degrade service availability by sending specially crafted XML documents.
💻 Affected Systems
- Ruby applications using REXML gem
- Applications with embedded REXML
📦 What is this software?
Rexml by Ruby Lang
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability requiring restart, potentially affecting all users of the vulnerable application.
Likely Case
Temporary service degradation or crashes affecting availability until the process restarts.
If Mitigated
Minimal impact with proper input validation, rate limiting, and updated versions.
🎯 Exploit Status
Exploitation requires sending XML with many entity expansions to vulnerable endpoints. No authentication needed if XML input is accepted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: REXML gem 3.3.3 or later
Vendor Advisory: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
Restart Required: Yes
Instructions:
1. Update REXML gem: `gem update rexml` 2. Update Gemfile to specify `gem 'rexml', '>= 3.3.3'` 3. Run `bundle update rexml` if using Bundler 4. Restart application services
🔧 Temporary Workarounds
Limit XML entity expansions
allConfigure REXML to limit entity expansions via environment variables or code configuration
export RUBYOPT='-r rexml/security'
In Ruby code: REXML::Security.entity_expansion_limit = 10000
Disable external entity processing
allConfigure REXML to disable external entity resolution to prevent expansion attacks
REXML::Document.entity_expansion_limit = 0
REXML::Security.entity_expansion_text_limit = 0
🧯 If You Can't Patch
- Implement XML input validation and sanitization before parsing
- Deploy WAF rules to block XML with excessive entity expansions
🔍 How to Verify
Check if Vulnerable:
Check REXML version: `gem list rexml` or `bundle show rexml`Check Version:
ruby -e "require 'rexml'; puts REXML::VERSION"Verify Fix Applied:
Confirm version is 3.3.3+: `rexml -v` or check Gemfile.lock📡 Detection & Monitoring
Log Indicators:
- High memory/CPU usage spikes during XML parsing
- Application crashes or restarts after XML processing
- Unusually large XML payloads in request logs
Network Indicators:
- Incoming XML documents with repeated entity references
- XML payloads with DOCTYPE declarations containing many ENTITY definitions
SIEM Query:
source=application_logs AND ("XML parsing error" OR "out of memory" OR "REXML") AND (entity_expansion OR DoS)🔗 References
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20250117-0007/
