Skip to content

Commit a542a6e

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent a7c001c commit a542a6e

File tree

1 file changed

+68
-0
lines changed

1 file changed

+68
-0
lines changed

advisories/github-reviewed/2025/09/GHSA-c2f4-jgmc-q2r5/GHSA-c2f4-jgmc-q2r5.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c2f4-jgmc-q2r5",
4+
"modified": "2025-09-17T18:26:48Z",
5+
"published": "2025-09-17T18:26:48Z",
6+
"aliases": [
7+
"CVE-2025-58767"
8+
],
9+
"summary": "REXML has DoS condition when parsing malformed XML file",
10+
"details": "### Impact\n\nThe REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations.\nIf you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.\n\n### Patches\n\nREXML gems 3.4.2 or later include the patches to fix these vulnerabilities.\n\n### Workarounds\n\nDon't parse untrusted XMLs.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ : An announcement on www.ruby-lang.org",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "RubyGems",
21+
"name": "rexml"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "3.3.3"
29+
},
30+
{
31+
"fixed": "3.4.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 3.4.1"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/ruby/rexml"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-776"
62+
],
63+
"severity": "LOW",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2025-09-17T18:26:48Z",
66+
"nvd_published_at": null
67+
}
68+
}

0 commit comments

Comments
 (0)