The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.
Don't parse untrusted XMLs.
| Score | Percentile |
|---|---|
| 0.02% | 5.96% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 1.2 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-c2f4-jgmc-q2r5 ↗ |
| CVE | CVE-2025-58767 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rubygems | rexml | >= 3.3.3, <= 3.4.1 | 3.4.2 | — |