GHSA SYNC: 1 brand new advisory

jasnow · postmodern · commit dff94e024b70 · 2025-09-18T15:57:32.000-07:00
diff --git a/gems/rexml/CVE-2025-58767.yml b/gems/rexml/CVE-2025-58767.yml
@@ -0,0 +1,38 @@
+---
+gem: rexml
+cve: 2025-58767
+ghsa: c2f4-jgmc-q2r5
+url: https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5
+title: REXML has DoS condition when parsing malformed XML file
+date: 2025-09-17
+description: |
+  ### Impact
+
+  The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when
+  parsing XML containing multiple XML declarations. If you need to
+  parse untrusted XMLs, you may be impacted to these vulnerabilities.
+
+  ### Patches
+
+  REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.
+
+  ### Workarounds
+
+  Don't parse untrusted XMLs.
+
+  ### References
+
+  * https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767
+    - An announcement on www.ruby-lang.org
+cvss_v4: 1.2
+unaffected_versions:
+  - "< 3.3.3"
+patched_versions:
+  - ">= 3.4.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-58767
+    - https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767
+    - https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5
+    - https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23
+    - https://github.com/advisories/GHSA-c2f4-jgmc-q2r5
