GHSA-4xqq-m2hx-25v8 · Severity: medium · Ecosystem: rubygems — REXML denial of service vulnerability
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
Conclusion & alert: CVE-2024-39908 is rated Low Risk (36.2/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.38%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 8.33% | 1.38% | -6.96% |
| 2 | 2026-06-11 | 8.03% | 8.33% | +0.30% |
| 3 | 2026-06-05 | — | 8.03% | — |
Full EPSS history (62 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.3 | 3.1 | MEDIUM |
|
2.8 | 1.4 | [email protected] |
GHSA-4xqq-m2hx-25v8 · Severity: medium · Ecosystem: rubygems — REXML denial of service vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
medium | CVE-2024-39908: 1 source package rows (ruby-rexml); 5 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 5, open 0. | https://security.alpinelinux.org/vuln/CVE-2024-39908 |
debian
|
not yet assigned | CVE-2024-39908 not yet assigned priority: Debian including 3 source packages (ruby2.7, ruby3.1, ruby3.3), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2024-39908 |
gentoo
|
normal | CVE-2024-39908: 1 GLSA(s) (202507-08), 1 atom(s) (dev-ruby/rexml); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-39908 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-39908 |
suse
|
medium | CVE-2024-39908 severity moderate: SUSE including 321 source package names (2.19-54.2:libruby2_5-2_5-2.5.9-150000.4.32.1, 2.19-54.2:ruby2.5-2.5.9-150000.4.32.1, …), 947 product×package rows across 194 product lines (Container bci/ruby, Container suse/rmt-server, … (194 product lines)): Fixed 617, Known Affected 231, Known Not Affected 99. | https://www.suse.com/security/cve/CVE-2024-39908/ |
ubuntu
|
medium | CVE-2024-39908 medium priority: Ubuntu including 7 source packages (jruby, ruby2.3, …), 54 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 31, needs-triage 13, released 6, ignored 2, not-affected 2. | https://ubuntu.com/security/CVE-2024-39908 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| ruby-lang | rexml | < 3.3.2 | cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:* |
| netapp | bootstrap_os | — | cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 | Vendor Advisory |
| https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908 | Vendor Advisory |
| https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html | |
| https://security.netapp.com/advisory/ntap-20250117-0008/ | Third Party Advisory |