GHSA-vmwr-mc7x-5vc3 · Severity: high · Ecosystem: rubygems — REXML denial of service vulnerability
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Conclusion & alert: CVE-2024-43398 is rated Moderate Risk (46.1/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.21%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.14% | 1.21% | +0.07% |
| 2 | 2026-06-11 | 1.17% | 1.14% | -0.03% |
| 3 | 2026-05-28 | — | 1.17% | — |
Full EPSS history (45 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.9 | 3.1 | MEDIUM |
|
2.2 | 3.6 | [email protected] |
GHSA-vmwr-mc7x-5vc3 · Severity: high · Ecosystem: rubygems — REXML denial of service vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
medium | CVE-2024-43398: 1 source package rows (ruby-rexml); 5 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 5, open 0. | https://security.alpinelinux.org/vuln/CVE-2024-43398 |
debian
|
not yet assigned | CVE-2024-43398 not yet assigned priority: Debian including 3 source packages (ruby2.7, ruby3.1, ruby3.3), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2024-43398 |
gentoo
|
normal | CVE-2024-43398: 1 GLSA(s) (202507-08), 1 atom(s) (dev-ruby/rexml); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-43398 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-43398 |
suse
|
high | CVE-2024-43398 severity important: SUSE including 323 source package names (2.19-54.2:libruby2_5-2_5-2.5.9-150000.4.32.1, 2.19-54.2:ruby2.5-2.5.9-150000.4.32.1, …), 932 product×package rows across 190 product lines (Container bci/ruby, Container suse/rmt-server, … (190 product lines)): Fixed 619, Known Affected 231, Known Not Affected 82. | https://www.suse.com/security/cve/CVE-2024-43398/ |
ubuntu
|
low | CVE-2024-43398 low priority: Ubuntu including 6 source packages (ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3), 44 status rows across 9 suites (bionic, focal, jammy, noble, oracular, plucky, questing, upstream, xenial): DNE 30, needs-triage 7, released 7. | https://ubuntu.com/security/CVE-2024-43398 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| ruby-lang | rexml | < 3.3.6 | cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:* |
| netapp | bootstrap_os | — | cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/ruby/rexml/releases/tag/v3.3.6 | Release Notes |
| https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3 | Vendor Advisory |
| https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html | |
| https://security.netapp.com/advisory/ntap-20250103-0006/ | Third Party Advisory |