CVE-2021-28965 Overview
CVE-2021-28965 is an XML round-trip vulnerability in the REXML gem, a pure Ruby XML processing library bundled with Ruby. The vulnerability exists in REXML versions before 3.2.5 and affects Ruby versions before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1. When an XML document is parsed and then serialized back to XML, the resulting document may differ from the original, potentially producing an incorrect document that could bypass security controls or corrupt data integrity.
Critical Impact
Applications relying on REXML for XML parsing and serialization may produce incorrect documents, potentially leading to data integrity issues, security bypass scenarios, or application logic errors when processed downstream.
Affected Products
- Ruby-lang REXML (versions before 3.2.5)
- Ruby-lang Ruby (versions before 2.6.7, 2.7.x before 2.7.3, 3.x before 3.0.1)
- Fedora Project Fedora 34
Discovery Timeline
- 2021-04-05 - Ruby-lang publishes security advisory
- 2021-04-21 - CVE CVE-2021-28965 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28965
Vulnerability Analysis
This vulnerability stems from improper handling of XML round-trip operations within the REXML library. XML round-tripping refers to the process of parsing an XML document into an internal representation and then serializing it back to XML format. In a secure implementation, this process should be idempotent—the output should faithfully represent the original input structure and content.
The flaw in REXML causes the library to produce an incorrect document after the parse-and-serialize cycle. This non-idempotent behavior can have significant security implications, particularly in scenarios where XML documents are used for authentication, authorization, digital signatures, or data exchange between systems.
Root Cause
The root cause lies in REXML's internal handling of certain XML constructs during the parsing and serialization phases. The library fails to properly preserve specific XML elements, attributes, or formatting during the round-trip process. This implementation deficiency results in data loss or transformation that changes the semantic meaning of the document.
The vulnerability is categorized as an "Other" weakness type (NVD-CWE-Other), indicating it doesn't fit neatly into standard CWE classifications but represents a fundamental failure in the library's core XML processing functionality.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no privileges or user interaction. An attacker could exploit this vulnerability in scenarios where:
- An application accepts XML input from untrusted sources
- The application parses the XML using REXML and then re-serializes it
- The resulting document is used for security-sensitive operations such as signature verification, access control decisions, or data validation
The vulnerability enables attackers to craft XML documents that, when round-tripped through REXML, produce output that differs from the original in ways that could bypass security controls. For example, a digitally signed XML document might have its signature invalidated after round-tripping, or security-relevant content might be altered.
The vulnerability manifests during the XML parsing and serialization cycle within REXML. When maliciously crafted XML is processed, the library may fail to preserve critical document structure or content. For detailed technical analysis and exploitation scenarios, refer to the Ruby XML Vulnerability Notice.
Detection Methods for CVE-2021-28965
Indicators of Compromise
- Unexpected differences between incoming XML documents and their serialized outputs in application logs
- XML signature validation failures in systems that use REXML for XML processing
- Anomalous XML documents in data pipelines that appear to have been modified during processing
Detection Strategies
- Audit Ruby application dependencies to identify REXML versions below 3.2.5 using gem list rexml or bundler dependency analysis
- Review Ruby version across systems to identify installations below 2.6.7, 2.7.3, or 3.0.1 respectively
- Implement XML input/output comparison testing in development environments to detect round-trip discrepancies
- Monitor application logs for XML-related errors or unexpected behavior in document processing workflows
Monitoring Recommendations
- Enable verbose logging for XML processing operations in Ruby applications using REXML
- Implement integrity checks that compare XML documents before and after REXML processing in sensitive workflows
- Monitor gem and Ruby version updates across the environment to ensure patched versions are deployed
- Track security advisories from Ruby-lang for REXML and core Ruby security updates
How to Mitigate CVE-2021-28965
Immediate Actions Required
- Upgrade REXML gem to version 3.2.5 or later immediately
- Update Ruby to version 2.6.7, 2.7.3, or 3.0.1 or later depending on your Ruby version branch
- Review applications that use REXML for XML processing to assess potential impact
- Consider switching to alternative XML processing libraries such as Nokogiri for security-critical applications
Patch Information
Ruby-lang has released patched versions addressing this vulnerability. The REXML gem version 3.2.5 and later contains the fix. Additionally, Ruby versions 2.6.7, 2.7.3, and 3.0.1 include the updated REXML library. Organizations should upgrade to these versions immediately.
For detailed patch information, refer to the Ruby XML Vulnerability Notice. Fedora users should apply updates via the standard package management system as documented in the Fedora Package Announcement.
Workarounds
- Implement input validation to sanitize XML documents before processing with REXML
- Use alternative XML parsing libraries such as Nokogiri that are not affected by this vulnerability
- Add application-level verification to compare XML documents before and after round-tripping for critical operations
- Avoid using REXML for security-sensitive XML operations until the system can be patched
# Update REXML gem to patched version
gem update rexml
# Verify installed REXML version
gem list rexml
# Update Ruby to patched version (example using rbenv)
rbenv install 3.0.1
rbenv global 3.0.1
# Verify Ruby version
ruby --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
