Cyber Resilience

CVE-2024-35176

Medium

Published: 16 May 2024

Published
16 May 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0843 92.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35176 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ruby-Lang Rexml. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

REXML is an XML parsing toolkit for Ruby whose versions prior to 3.2.6 contain a denial-of-service vulnerability. The flaw is triggered when the parser encounters an attribute value containing a large number of “<” characters, leading to uncontrolled resource consumption that matches CWE-400 and CWE-770. The issue received a CVSS 3.1 score of 5.3 with a network attack vector and no authentication or user interaction required.

An unauthenticated remote attacker can supply a crafted XML document containing the malicious attribute value and cause the affected application to consume excessive CPU or memory, resulting in degraded availability. Because the vector is network-reachable and requires no privileges, any Ruby application that processes untrusted XML input with an older REXML gem is exposed.

The official Ruby advisory and the REXML security notice state that the vulnerability is resolved in version 3.2.7; the corresponding patch is available in the referenced GitHub commit. As a temporary mitigation, applications should avoid parsing XML from untrusted sources until the gem is updated.

The associated EPSS score has remained flat at 0.0843 with no material increase since disclosure.

EU & UK References

Vulnerability details

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be…

more

impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ruby-lang
rexml
≤ 3.2.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-400 CWE-770

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

addresses: CWE-400 CWE-770

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

addresses: CWE-400 CWE-770

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

addresses: CWE-400 CWE-770

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

addresses: CWE-400 CWE-770

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

addresses: CWE-400 CWE-770

Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.

addresses: CWE-400 CWE-770

Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.

addresses: CWE-400 CWE-770

Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.

References