[CVE-2024-35176] DoS vulnerability in REXML

Disclosed: 2024-08-23 22:43:50 By mprogrammer To ibb
Medium
Vulnerability Details
I sent my original report here: https://hackerone.com/reports/2490560 REXML had a vulnerability where repeated `>` characters in an attribute value took a very long time for the parser to finish. The wait times increased exponentially the larger the string. ## Impact Reduced performance or Denial of Service was possible where REXML is used to parse user input. Rails uses REXML to convert XML to a hash, so this was susceptible: ```rb Hash.from_xml(request.body.read) ```
Actions
View on HackerOne
Report Stats
  • Report ID: 2645836
  • State: Closed
  • Substate: resolved
  • Upvotes: 16
Share this report