rexml: DoS vulnerability in REXML

A vulnerability was found in REXML RubyGems. This package is vulnerable to denial of service DoS when parsing a deep XML structure with the same local name attribute. This vulnerability only affects tree parser API like REXML::Document.new, other parser APIs such as stream parser API and SAX2...

Moderate: Red Hat Security Advisory: ruby:3.1 security update

An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CGI: Denial of Service in CGI::Cookie.parse

A flaw was found in Ruby's CGI gem. Processing specially crafted large cookies with the CGI::Cookie.parse method can cause excessive resource consumption due to a missing limit on the length of the raw cookie value, resulting in a denial of service...

CGI: ReDoS in CGI::Util#escapeElement

A flaw was found in Ruby's CGI gem. The CGI::UtilescapeElement method is vulnerable to Regular expression Denial of Service ReDoS, allowing a specially crafted input to cause a high CPU consumption...

uri: userinfo leakage in URI#join, URI#merge and URI#+

A flaw was found in the URI ruby gem package, where userinfo leakage can occur in the uri gem. The methods URIjoin, URImerge, and URI+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using...

[SECURITY] Fedora 40 Update: ruby-3.3.8-19.fc40

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks as in Perl. It is simple, straight-forward, and extensible...

Fedora 40 : ruby (2025-9bef972bb9)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-9bef972bb9 advisory. Upgrade to Ruby 3.3.8. CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion Resolves: rhbz2345556 CVE-2025-27219: Denial of...

RHEL 8 : ruby:3.1 (RHSA-2025:4063)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:4063 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system...

ruby:3.1 security update

ruby 3.1.7-145 - Upgrade to Ruby 3.1.7. Resolves: RHEL-55408 - Fix DoS vulnerability in REXML. CVE-2024-39908 Resolves: RHEL-57051 - Fix DoS vulnerability in REXML. CVE-2024-43398 Resolves: RHEL-56002 3.1.5-144 - Fix REXML ReDoS vulnerability. CVE-2024-49761 Resolves: RHEL-68520 3.1.5-143 - Upgra...

Oracle Linux 8 : ruby:3.1 (ELSA-2025-4063)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-4063 advisory. - Fix DoS vulnerability in REXML. CVE-2024-39908 Resolves: RHEL-57051 - Fix DoS vulnerability in REXML. CVE-2024-43398 Resolves: RHEL-56002 - Fix REXML...

ALSA-2025:4063 Moderate: ruby:3.1 security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: rexml: DoS vulnerability in REXML CVE-2024-39908 rexml: rubygem-rexml: DoS when parsing an XML having many specific characters suc...

Moderate: ruby:3.1 security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: rexml: DoS vulnerability in REXML CVE-2024-39908 rexml: rubygem-rexml: DoS when parsing an XML having many specific characters suc...

[SECURITY] Fedora 41 Update: ruby-3.3.8-19.fc41

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks as in Perl. It is simple, straight-forward, and extensible...

Ubuntu 16.04 LTS / 18.04 LTS : Ruby vulnerabilities (USN-7442-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7442-1 advisory. It was discovered that the Ruby CGI gem incorrectly handled parsing certain cookies. A remote attacker could possibly use this issue to consu...

Fedora 41 : ruby (2025-60513bdbbd)

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-60513bdbbd advisory. Upgrade to Ruby 3.3.8. CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion Resolves: rhbz2345557 CVE-2025-27219: Denial of...

Azure Linux 3.0 Security Update: ruby (CVE-2025-27220)

The version of ruby installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27220 advisory. - In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service ReDoS vulnerability exists in the...

Azure Linux 3.0 Security Update: ruby (CVE-2025-27219)

The version of ruby installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27219 advisory. - In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential...

Azure Linux 3.0 Security Update: ruby (CVE-2025-27221)

The version of ruby installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27221 advisory. - In the URI gem before 1.0.3 for Ruby, the URI handling methods URI.join, URImerge, URI+ have an inadvertent...

CLSA-2025-1745053071 ruby: Fix of CVE-2024-49761

CVE-2024-49761: parse XML with many digits in hex numeric character reference &x... to fix ReDoS vulnerability in REXML...

CVE-2025-27221 affecting package ruby for versions less than 3.3.5-3

CVE-2025-27221 affecting package ruby for versions less than 3.3.5-3. A patched version of the package is available...