Login Sign Up

CVE-2024-49761

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2024-49761 is a Regular Expression Denial of Service (ReDoS) vulnerability in REXML, Ruby's XML toolkit. It allows attackers to cause denial of service by sending specially crafted XML documents with many digits in hex numeric character references. Only Ruby 3.1 is affected among maintained Ruby versions.

💻 Affected Systems

Products:
  • Ruby REXML gem
  • Ruby applications using REXML
Versions: REXML gem versions before 3.3.9 with Ruby 3.1
Operating Systems: All operating systems running affected Ruby/REXML versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Ruby 3.1. Ruby 3.2+ are not vulnerable. Applications using REXML to parse untrusted XML are at risk.

📦 What is this software?

Ontap Tools by Netapp

View all CVEs affecting Ontap Tools →

Rexml by Ruby Lang

View all CVEs affecting Rexml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from processing malicious XML, leading to sustained downtime.

🟠

Likely Case

Degraded application performance or temporary service disruption when processing malicious XML payloads.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated REXML versions.

🌐 Internet-Facing: HIGH - XML parsing endpoints exposed to untrusted input are vulnerable to DoS attacks.
🏢 Internal Only: MEDIUM - Internal applications processing untrusted XML could be affected, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending malicious XML to vulnerable endpoints. Public advisory includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: REXML gem 3.3.9 or later

Vendor Advisory: https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

Restart Required: Yes

Instructions:

1. Update REXML gem: 'gem update rexml' 2. Update Gemfile.lock if using Bundler 3. Restart Ruby application services 4. Verify version with 'gem list rexml'

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize XML input before processing with REXML

Upgrade Ruby version

linux

Upgrade from Ruby 3.1 to Ruby 3.2 or later

rvm install ruby-3.2.0
rbenv install 3.2.0

🧯 If You Can't Patch

  • Implement strict input validation and XML schema validation
  • Deploy WAF rules to block XML with excessive hex character references

🔍 How to Verify

Check if Vulnerable:

Check Ruby version with 'ruby -v' and REXML version with 'gem list rexml'. Vulnerable if Ruby 3.1.x with REXML < 3.3.9.

Check Version:

ruby -v && gem list rexml | grep rexml

Verify Fix Applied:

Verify REXML version is 3.3.9+ with 'gem list rexml | grep rexml' and test with sample malicious XML.

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes in Ruby processes
  • XML parsing errors or timeouts
  • Unusually large XML payloads in request logs

Network Indicators:

  • Multiple XML requests with hex character references
  • XML payloads with patterns like '&#x' followed by many digits

SIEM Query:

source="application.log" AND ("REXML" OR "XML parse") AND ("timeout" OR "CPU" OR "&#x")

📊 Metadata

CVE ID: CVE-2024-49761
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: October 28, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49761, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)