CVE-2024-49761 Overview
CVE-2024-49761 is a Regular Expression Denial of Service (ReDoS) vulnerability in REXML, the XML toolkit for Ruby. The vulnerability exists in REXML gem versions before 3.3.9, where parsing an XML document containing many digits between &# and x...; in a hex numeric character reference (&#x...;) triggers catastrophic backtracking in the regular expression engine, leading to denial of service conditions.
This vulnerability specifically affects Ruby 3.1, which is the only affected maintained Ruby version at the time of disclosure. Ruby 3.2 and later versions are not vulnerable due to improvements in the regex engine.
Critical Impact
Applications using REXML to parse untrusted XML input on Ruby 3.1 are vulnerable to denial of service attacks through crafted hex numeric character references, potentially causing application unavailability.
Affected Products
- ruby-lang rexml (versions before 3.3.9)
- ruby-lang ruby (version 3.1.x series)
- netapp ontap_tools (version 10 for VMware vSphere)
Discovery Timeline
- 2024-10-28 - CVE-2024-49761 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-49761
Vulnerability Analysis
The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), commonly known as ReDoS (Regular Expression Denial of Service). The flaw resides in REXML's base parser component (lib/rexml/parsers/baseparser.rb), where the CHARACTER_REFERENCES regular expression pattern improperly handles hex numeric character references.
The vulnerable regex pattern contained a quantifier (0*) that allowed unlimited leading zeros in character references, creating conditions for catastrophic backtracking. When processing malicious XML input with hex numeric character references containing many digits, the regex engine's backtracking behavior causes exponential time complexity, effectively freezing the application.
Root Cause
The root cause lies in the CHARACTER_REFERENCES constant defined in the base parser. The original regex pattern /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ incorrectly accepted �x...; format (with leading zeros before the x) as a valid character reference. The 0* quantifier allowed matching of an arbitrary number of zeros, which combined with the alternation group created a pattern susceptible to catastrophic backtracking when processing malformed input with many digits.
Attack Vector
An attacker can exploit this vulnerability by supplying a crafted XML document to any application using REXML for XML parsing on Ruby 3.1. The attack vector is network-based and requires no authentication or user interaction. The malicious XML would contain hex numeric character references with excessive digits between &# and the terminating semicolon, triggering the inefficient regex matching behavior.
# Security patch in lib/rexml/parsers/baseparser.rb
# Source: https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/
+ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
DEFAULT_ENTITIES_PATTERNS = {}
default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
default_entities.each do |term|
The fix removes the 0* quantifier from the regex pattern, preventing the acceptance of malformed character references and eliminating the ReDoS condition.
Detection Methods for CVE-2024-49761
Indicators of Compromise
- Unusual CPU spikes in Ruby processes handling XML parsing operations
- Application timeouts or hangs when processing XML documents from external sources
- Memory consumption increases in REXML-dependent services without proportional traffic increases
- Log entries showing extended XML parsing times or timeout errors
Detection Strategies
- Monitor Ruby application logs for REXML parsing errors or extended processing times
- Implement application performance monitoring (APM) to detect abnormal CPU utilization during XML processing
- Review inbound XML documents for suspicious hex numeric character references with excessive digit sequences
- Deploy web application firewall (WAF) rules to detect XML payloads with anomalous character reference patterns
Monitoring Recommendations
- Enable detailed logging for XML parsing operations in production environments
- Configure alerting thresholds for Ruby process CPU and memory utilization
- Implement request timeout mechanisms for endpoints accepting XML input
- Establish baseline metrics for XML processing duration to detect deviations
How to Mitigate CVE-2024-49761
Immediate Actions Required
- Upgrade REXML gem to version 3.3.9 or later immediately
- Upgrade Ruby to version 3.2 or later if possible, as later versions are not affected
- Implement input validation to reject XML documents with suspicious character references
- Apply network-level rate limiting to endpoints processing XML input
Patch Information
The vulnerability has been patched in REXML gem version 3.3.9. The fix modifies the CHARACTER_REFERENCES regex pattern in lib/rexml/parsers/baseparser.rb to remove the problematic 0* quantifier, ensuring proper validation of hex numeric character references.
Official resources for patching:
Workarounds
- If immediate gem upgrade is not possible, consider migrating to alternative XML parsing libraries such as Nokogiri
- Implement request timeout mechanisms for XML parsing operations to limit DoS impact
- Deploy input sanitization to filter or reject XML documents with hex numeric character references containing excessive digits
- Consider upgrading to Ruby 3.2 or later, which includes regex engine improvements that prevent this ReDoS condition
# Upgrade REXML gem to patched version
gem update rexml
# Or specify minimum version in Gemfile
echo 'gem "rexml", ">= 3.3.9"' >> Gemfile
bundle update rexml
# Verify installed version
gem list rexml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
