CVE-2025-58767

CVE-2025-58767

Name

CVE-2025-58767

Description

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23
CONFIRM	https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5

Type

URI

MISC

https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23

CONFIRM

https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5

CPE URI	Source package	Min version	Max version
	rexml	>= 3.3.3	< 3.4.2
`cpe:2.3:a:ruby-lang:rexml::::::ruby::*`	ruby-rexml	>= 3.3.3	< 3.4.2

CPE URI

Source package

Min version

Max version

rexml

>= 3.3.3

< 3.4.2

cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*

ruby-rexml

>= 3.3.3

< 3.4.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
ruby-rexml	edge-main	3.4.4-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
ruby-rexml	edge-main	3.4.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	edge-main	3.4.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	edge-main	3.3.9-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.23-main	3.4.4-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
ruby-rexml	3.23-main	3.4.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.22-main	3.4.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.22-main	3.3.9-r0	None	possibly vulnerable
ruby-rexml	3.21-main	3.3.9-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.20-main	3.3.9-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.20-main	3.3.9-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.19-main	3.3.9-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
ruby-rexml	3.19-main	3.3.9-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

ruby-rexml

edge-main

3.4.4-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

ruby-rexml

edge-main