Vulnerability Report

CVE-2024-43398

RCE

Title: Ruby-Lang Rexml RCE

RCE

Proof Of Concept

No public PoC currently indexed for CVE-2024-43398.

CWE Category CWE-776

Published Date Aug 22, 2024

Modified Date Nov 03, 2025

Exploit Status Not Found

Score 5.9 CVSS v3.1

Exploit Probability (EPSS)

1.17%

Vulnerability Summary

CVE-2024-43398: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Impacted Vendors

netapp 1

ruby-lang 1

Reference Links

https://github.com/ruby/rexml/releases/tag/v3.3.6 https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3 https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html https://security.netapp.com/advisory/ntap-20250103-0006/

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.9

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-43398 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

November 03, 2025 MODIFIED

Vulnerability data or affected products updated.

August 22, 2024 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Stack

No specific products linked.