CVE-2024-41123 Overview
CVE-2024-41123 is a denial of service (DoS) vulnerability in REXML, an XML toolkit for Ruby. The REXML gem before version 3.3.2 contains multiple parsing flaws triggered when input XML documents include specific characters such as whitespace, >], and ]>. An attacker who can supply crafted XML to a Ruby application using REXML can force excessive resource consumption during parsing. The flaw is classified under CWE-400: Uncontrolled Resource Consumption. REXML maintainers shipped fixes in version 3.3.3 and later.
Critical Impact
Remote, unauthenticated attackers can cause denial of service in Ruby applications that parse untrusted XML using vulnerable REXML versions.
Affected Products
- Ruby rexml gem versions prior to 3.3.2
- Ruby applications and frameworks bundling vulnerable REXML
- Downstream distributions including Debian LTS and NetApp products referencing REXML
Discovery Timeline
- 2024-08-01 - CVE-2024-41123 published to NVD and announced on the Ruby news channel
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-41123
Vulnerability Analysis
The REXML gem provides XML parsing for Ruby applications, including DOM, SAX, and pull parser interfaces. The vulnerability arises in parser routines that process specific sequences of characters during tokenization. According to the Ruby security announcement, parsing XML documents containing many whitespace characters, >] sequences, or ]> sequences leads to excessive CPU consumption.
The issue is purely an availability problem. Confidentiality and integrity are not affected. The attack succeeds without authentication or user interaction when the application accepts XML input over the network.
Root Cause
The root cause is uncontrolled resource consumption [CWE-400] in REXML parser logic. Specific character sequences trigger inefficient code paths during parsing, resulting in algorithmic complexity that scales poorly with input size. The maintainers consolidated fixes across three GitHub Security Advisories: GHSA-r55c-59qm-vjw6, GHSA-4xqq-m2hx-25v8, and GHSA-vg3r-rm7w-2xgh.
Attack Vector
The attack vector is network-based. An attacker submits a crafted XML payload containing repeated whitespace runs or >] or ]> sequences to any endpoint that hands the document to REXML for parsing. The targeted Ruby worker consumes CPU and stalls. Repeated requests exhaust application worker pools and produce a service outage.
No verified exploit code or public proof-of-concept is listed for CVE-2024-41123. The vulnerability mechanism is documented in the upstream advisories referenced above.
Detection Methods for CVE-2024-41123
Indicators of Compromise
- Sustained high CPU usage in Ruby application workers correlated with XML POST or PUT requests
- Request timeouts, 504 gateway errors, or worker restarts following inbound XML payloads
- HTTP request bodies containing unusually long runs of whitespace, repeated >], or repeated ]> sequences inside XML
- Application logs showing REXML parser stack traces or aborted parse operations
Detection Strategies
- Inventory dependencies with bundle list rexml or gem list rexml to identify hosts running REXML below 3.3.3
- Inspect Gemfile.lock across repositories for transitive pins to vulnerable REXML versions
- Apply software composition analysis (SCA) scanners against application manifests to flag CVE-2024-41123
- Deploy web application firewall rules that inspect XML request bodies for abnormal character repetition
Monitoring Recommendations
- Alert on per-request CPU time exceeding established baselines for endpoints that accept XML
- Monitor REXML parse durations using application performance monitoring (APM) instrumentation
- Rate-limit clients submitting XML payloads and flag clients that trigger repeated timeouts
- Capture full request bodies for failed XML parses to support post-incident analysis
How to Mitigate CVE-2024-41123
Immediate Actions Required
- Upgrade the rexml gem to version 3.3.3 or later across all Ruby environments
- Rebuild and redeploy container images and bundler artifacts to ensure patched REXML is loaded at runtime
- Apply distribution updates such as the Debian LTS announcement where applicable
- Review NetApp environments against the NetApp advisory ntap-20241227-0005
Patch Information
REXML 3.3.3 and later contain the fixes for CVE-2024-41123. Update via gem update rexml or pin gem 'rexml', '>= 3.3.3' in the project Gemfile and run bundle update rexml. Verify the resolved version using bundle info rexml. Full fix details are documented in GHSA-r55c-59qm-vjw6.
Workarounds
- Restrict the maximum size of XML request bodies at the reverse proxy or application layer
- Enforce per-request CPU and wall-clock timeouts on Ruby workers handling XML input
- Reject XML payloads from untrusted sources where REXML cannot be upgraded immediately
- Switch parsing to an alternative library such as Nokogiri for endpoints that accept external XML
# Upgrade REXML in a bundler-managed project
bundle update rexml
bundle info rexml # confirm version >= 3.3.3
# System-wide gem update
gem update rexml
gem list rexml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
