CVE-2024-35176
Published: 16 May 2024
Summary
CVE-2024-35176 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ruby-Lang Rexml. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
REXML is an XML parsing toolkit for Ruby whose versions prior to 3.2.6 contain a denial-of-service vulnerability. The flaw is triggered when the parser encounters an attribute value containing a large number of “<” characters, leading to uncontrolled resource consumption that matches CWE-400 and CWE-770. The issue received a CVSS 3.1 score of 5.3 with a network attack vector and no authentication or user interaction required.
An unauthenticated remote attacker can supply a crafted XML document containing the malicious attribute value and cause the affected application to consume excessive CPU or memory, resulting in degraded availability. Because the vector is network-reachable and requires no privileges, any Ruby application that processes untrusted XML input with an older REXML gem is exposed.
The official Ruby advisory and the REXML security notice state that the vulnerability is resolved in version 3.2.7; the corresponding patch is available in the referenced GitHub commit. As a temporary mitigation, applications should avoid parsing XML from untrusted sources until the gem is updated.
The associated EPSS score has remained flat at 0.0843 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1802
Vulnerability details
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be…
more
impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.
Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.