CVE-2025-58767

NameCVE-2025-58767
DescriptionREXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1115655

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.7 (PTS)bullseye2.7.4-1+deb11u1fixed
bullseye (security)2.7.4-1+deb11u5fixed
ruby3.1 (PTS)bookworm, bookworm (security)3.1.2-7+deb12u1fixed
ruby3.3 (PTS)forky, sid, trixie3.3.8-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-rexmlsource(unstable)(unfixed)
ruby2.7source(unstable)(not affected)
ruby3.1source(unstable)(not affected)
ruby3.3source(unstable)(unfixed)1115655

Notes

- ruby3.1 <not-affected> (Vulnerable code not present)
- ruby2.7 <not-affected> (Vulnerable code not present)
https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/
https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5
https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23 (v3.4.2)

Search for package or bug name: Reporting problems