CVE-2024-41946: Ruby-lang REXML DoS Vulnerability

CVE-2024-41946 Overview

CVE-2024-41946 is a Denial of Service (DoS) vulnerability affecting REXML, the XML toolkit for Ruby. The vulnerability exists in REXML gem version 3.3.2 and allows attackers to cause resource exhaustion by crafting malicious XML documents containing numerous entity expansions. When processed using the SAX2 or pull parser API, these specially crafted XML documents can overwhelm system resources, leading to application unavailability.

This vulnerability is classified as a Resource Exhaustion attack (CWE-400), where an attacker can exploit insufficient controls on XML entity expansion to consume excessive memory and CPU resources. The attack can be executed remotely over the network without requiring authentication or user interaction.

Critical Impact
Remote attackers can cause Denial of Service by sending maliciously crafted XML documents with excessive entity expansions to Ruby applications using REXML's SAX2 or pull parser APIs.

Affected Products

Ruby-lang REXML gem version 3.3.2 and earlier
Ruby applications utilizing REXML SAX2 parser API
Ruby applications utilizing REXML pull parser API

Discovery Timeline

2024-08-01 - CVE-2024-41946 published to NVD
2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-41946

Vulnerability Analysis

The vulnerability resides in REXML's handling of XML entity expansions when using the SAX2 or pull parser APIs. Unlike the DOM parser which had prior protections, these alternative parsing interfaces lacked proper entity expansion counting and limitation mechanisms. This oversight allows an attacker to craft XML documents with deeply nested or numerous entity definitions that, when expanded, result in exponential memory consumption—commonly known as an "XML Bomb" or "Billion Laughs" attack variant.

When a vulnerable application parses such a document, the parser recursively expands entities without limit, consuming all available memory and CPU cycles. This leads to application crashes or system-wide resource exhaustion, effectively denying service to legitimate users.

Root Cause

The root cause of CVE-2024-41946 is the absence of entity expansion tracking and limitation in the SAX2 and pull parser implementations within REXML. While REXML's Document class had existing protections against entity expansion attacks, the BaseParser class used by SAX2 and pull parser APIs did not implement an entity_expansion_count tracker or enforce expansion limits. This inconsistency in security controls across different parsing interfaces created an exploitable gap.

Attack Vector

The attack vector for CVE-2024-41946 is network-based, allowing remote exploitation without authentication or user interaction. An attacker can exploit this vulnerability by:

Crafting an XML document containing numerous recursive or nested entity definitions
Sending this malicious XML to a Ruby application that processes user-supplied XML using REXML's SAX2 or pull parser
When the application parses the XML, entity expansions occur without limitation
System resources are exhausted, causing denial of service

The following patch demonstrates how the vulnerability was addressed by adding entity expansion counting to the parser:

ruby

         self.stream = source
         @listeners = []
         @prefixes = Set.new
+        @entity_expansion_count = 0
       end
 
       def add_listener( listener )
         @listeners << listener
       end
 
       attr_reader :source
+      attr_reader :entity_expansion_count
 
       def stream=( source )
         @source = SourceFactory.create_from( source )

Source: GitHub Commit 033d1909

The pull parser implementation was also updated to expose the entity expansion count:

ruby

         @listeners << listener
       end
 
+      def entity_expansion_count
+        @parser.entity_expansion_count
+      end
+
       def each
         while has_next?
           yield self.pull

Source: GitHub Commit 033d1909

Detection Methods for CVE-2024-41946

Indicators of Compromise

Sudden spikes in memory consumption by Ruby application processes
Increased CPU utilization during XML parsing operations
Application timeouts or crashes when processing XML input
Log entries indicating memory allocation failures or out-of-memory conditions
Unusual XML payloads containing multiple <!ENTITY> declarations in request logs

Detection Strategies

Implement application performance monitoring to detect abnormal resource consumption patterns during XML processing
Configure web application firewalls (WAF) to inspect and block XML payloads containing excessive entity declarations
Deploy runtime application self-protection (RASP) solutions to monitor REXML parser behavior
Use dependency scanning tools to identify applications using vulnerable REXML gem versions (< 3.3.3)

Monitoring Recommendations

Monitor Ruby application memory and CPU metrics with alerting thresholds for anomalous spikes
Enable detailed logging for XML parsing operations to capture suspicious input patterns
Track REXML gem versions across your environment using software composition analysis (SCA) tools
Implement request size and complexity limits at the application gateway level

How to Mitigate CVE-2024-41946

Immediate Actions Required

Upgrade REXML gem to version 3.3.3 or later immediately across all Ruby applications
Audit applications to identify usage of REXML SAX2 or pull parser APIs with untrusted XML input
Implement input validation and size limits for XML documents accepted from external sources
Consider using alternative XML parsing libraries with built-in entity expansion protections where applicable

Patch Information

The vulnerability has been addressed in REXML gem version 3.3.3 and later. The patch introduces entity expansion counting (entity_expansion_count) to the BaseParser class, extending existing protections from the Document class to SAX2 and pull parser APIs.

For detailed patch information, refer to:

Workarounds

Disable or restrict XML parsing functionality for untrusted input until patching is complete
Implement strict XML schema validation to reject documents with entity declarations
Use application-level resource limits (memory, CPU time) to contain potential exploitation
Deploy network-level rate limiting to reduce the impact of DoS attempts

bash

# Upgrade REXML gem to patched version
gem update rexml

# Or specify minimum version in Gemfile
echo "gem 'rexml', '>= 3.3.3'" >> Gemfile
bundle update rexml

# Verify installed version
gem list rexml

CVE-2024-41946 Overview

Critical Impact
Remote attackers can cause Denial of Service by sending maliciously crafted XML documents with excessive entity expansions to Ruby applications using REXML's SAX2 or pull parser APIs.

Affected Products

Ruby-lang REXML gem version 3.3.2 and earlier
Ruby applications utilizing REXML SAX2 parser API
Ruby applications utilizing REXML pull parser API

Discovery Timeline

2024-08-01 - CVE-2024-41946 published to NVD
2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-41946

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for CVE-2024-41946 is network-based, allowing remote exploitation without authentication or user interaction. An attacker can exploit this vulnerability by:

Crafting an XML document containing numerous recursive or nested entity definitions
Sending this malicious XML to a Ruby application that processes user-supplied XML using REXML's SAX2 or pull parser
When the application parses the XML, entity expansions occur without limitation
System resources are exhausted, causing denial of service

The following patch demonstrates how the vulnerability was addressed by adding entity expansion counting to the parser:

ruby

         self.stream = source
         @listeners = []
         @prefixes = Set.new
+        @entity_expansion_count = 0
       end
 
       def add_listener( listener )
         @listeners << listener
       end
 
       attr_reader :source
+      attr_reader :entity_expansion_count
 
       def stream=( source )
         @source = SourceFactory.create_from( source )

Source: GitHub Commit 033d1909

The pull parser implementation was also updated to expose the entity expansion count:

ruby

         @listeners << listener
       end
 
+      def entity_expansion_count
+        @parser.entity_expansion_count
+      end
+
       def each
         while has_next?
           yield self.pull

Source: GitHub Commit 033d1909

Detection Methods for CVE-2024-41946

Indicators of Compromise

Sudden spikes in memory consumption by Ruby application processes
Increased CPU utilization during XML parsing operations
Application timeouts or crashes when processing XML input
Log entries indicating memory allocation failures or out-of-memory conditions
Unusual XML payloads containing multiple <!ENTITY> declarations in request logs

Detection Strategies

Implement application performance monitoring to detect abnormal resource consumption patterns during XML processing
Configure web application firewalls (WAF) to inspect and block XML payloads containing excessive entity declarations
Deploy runtime application self-protection (RASP) solutions to monitor REXML parser behavior
Use dependency scanning tools to identify applications using vulnerable REXML gem versions (< 3.3.3)

Monitoring Recommendations

Monitor Ruby application memory and CPU metrics with alerting thresholds for anomalous spikes
Enable detailed logging for XML parsing operations to capture suspicious input patterns
Track REXML gem versions across your environment using software composition analysis (SCA) tools
Implement request size and complexity limits at the application gateway level

How to Mitigate CVE-2024-41946

Immediate Actions Required

Upgrade REXML gem to version 3.3.3 or later immediately across all Ruby applications
Audit applications to identify usage of REXML SAX2 or pull parser APIs with untrusted XML input
Implement input validation and size limits for XML documents accepted from external sources
Consider using alternative XML parsing libraries with built-in entity expansion protections where applicable

Patch Information

For detailed patch information, refer to:

Workarounds

Disable or restrict XML parsing functionality for untrusted input until patching is complete
Implement strict XML schema validation to reject documents with entity declarations
Use application-level resource limits (memory, CPU time) to contain potential exploitation
Deploy network-level rate limiting to reduce the impact of DoS attempts

bash

# Upgrade REXML gem to patched version
gem update rexml

# Or specify minimum version in Gemfile
echo "gem 'rexml', '>= 3.3.3'" >> Gemfile
bundle update rexml

# Verify installed version
gem list rexml

CVE-2024-41946: Ruby-lang REXML DoS Vulnerability

CVE-2024-41946 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-41946

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-41946

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-41946

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-41946: Ruby-lang REXML DoS Vulnerability

CVE-2024-41946 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-41946

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-41946

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-41946

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform