CVE-2025-10990 Overview
A flaw was found in REXML, the Ruby standard library for XML processing. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.
Critical Impact
Remote attackers can cause denial of service conditions by sending specially crafted XML documents containing malicious hex numeric character references, causing excessive CPU consumption through regex backtracking.
Affected Products
- REXML Ruby XML parsing library
- Ruby applications utilizing REXML for XML processing
- Red Hat Enterprise Linux systems with affected REXML packages
Discovery Timeline
- 2026-02-27 - CVE-2025-10990 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10990
Vulnerability Analysis
This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity), commonly known as Regular Expression Denial of Service (ReDoS). The flaw exists in how REXML processes hex numeric character references in XML documents. When parsing XML content containing specially crafted &#x...; sequences, the regex engine can enter a state of catastrophic backtracking, consuming excessive CPU resources and causing the application to become unresponsive.
The vulnerability represents an incomplete remediation of the previously identified CVE-2024-49761, indicating that the original fix did not fully address all attack vectors related to hex numeric character reference processing. This makes any Ruby application that parses untrusted XML input using REXML potentially vulnerable to denial of service attacks.
Root Cause
The root cause lies in inefficient regular expression patterns used within REXML's XML parsing logic for handling hex numeric character references. When the regex engine encounters input strings that create ambiguous matching scenarios, it exhaustively explores all possible matching paths through exponential backtracking. This algorithmic complexity allows relatively small malicious inputs to consume disproportionate computational resources.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending XML documents containing malformed or excessively complex hex numeric character references to any endpoint that processes XML using the vulnerable REXML library. The malicious XML payload triggers the inefficient regex evaluation, causing the parsing operation to hang or consume excessive CPU time, effectively denying service to legitimate users.
The attack requires minimal complexity as the attacker simply needs to craft XML input with specific patterns that trigger worst-case regex performance. No special privileges are needed since the vulnerability is triggered through normal XML parsing operations.
Detection Methods for CVE-2025-10990
Indicators of Compromise
- Unusual CPU spikes on systems processing XML data with REXML
- Application timeouts or hangs during XML parsing operations
- Incoming XML documents containing suspicious patterns of hex numeric character references (&#x...;)
- Log entries showing extended processing times for XML parsing functions
Detection Strategies
- Monitor application performance metrics for abnormal CPU utilization during XML processing
- Implement input validation to detect and reject XML documents with excessive or malformed hex character references
- Deploy web application firewalls (WAF) with rules to detect ReDoS attack patterns in XML payloads
- Enable detailed logging for XML parsing operations to identify slow or hanging requests
Monitoring Recommendations
- Set up alerts for CPU utilization thresholds on services that handle XML input
- Monitor request latency patterns for endpoints accepting XML data
- Track REXML parsing duration metrics to establish baselines and detect anomalies
- Implement timeout mechanisms for XML parsing operations to limit impact
How to Mitigate CVE-2025-10990
Immediate Actions Required
- Update REXML to the latest patched version as provided by your distribution
- Apply Red Hat security updates referenced in RHSA-2025:17606, RHSA-2025:17613, and RHSA-2025:17693
- Review applications that process untrusted XML input and implement input validation
- Consider implementing request timeouts for XML parsing operations as a temporary measure
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations using Red Hat Enterprise Linux or related distributions should apply the following updates:
- Red Hat Security Advisory RHSA-2025:17606
- Red Hat Security Advisory RHSA-2025:17613
- Red Hat Security Advisory RHSA-2025:17693
Additional technical details are available in Red Hat Bug Report #2398216 and the Red Hat CVE Analysis for CVE-2025-10990.
Workarounds
- Implement strict input validation on XML documents before parsing, rejecting inputs with suspicious character reference patterns
- Set aggressive timeouts on XML parsing operations to limit the impact of ReDoS attempts
- Consider using alternative XML parsing libraries that are not affected by this vulnerability for processing untrusted input
- Deploy rate limiting on endpoints that accept XML input to reduce the effectiveness of DoS attacks
# Example: Update REXML on Red Hat-based systems
sudo yum update ruby-rexml
# Or for DNF-based systems
sudo dnf update ruby-rexml
# Verify the installed version
rpm -q ruby-rexml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
