CVE-2024-49761 identifies a ReDoS vulnerability in the Ruby REXML gem, a widely used XML parsing toolkit for Ruby applications. The flaw arises from inefficient regular expression handling when parsing XML documents containing hex numeric character references with many digits (e.g., &#x...;). This causes the regex engine to consume excessive CPU cycles, leading to potential denial of service conditions. The vulnerability affects REXML versions before 3.3.9 and specifically impacts Ruby 3.1, which is still maintained; Ruby 3.2 and later versions are not vulnerable due to changes in the XML parsing implementation. The vulnerability can be triggered remotely by processing crafted XML inputs without requiring authentication or user interaction, increasing the attack surface. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and a high impact on availability (VA:H), with no impact on confidentiality or integrity. Although no exploits have been observed in the wild, the vulnerability poses a moderate risk to applications relying on vulnerable REXML versions for XML processing, especially in web services or APIs that accept XML input. The patch was released in REXML 3.3.9, which addresses the inefficient regex complexity to prevent CPU exhaustion.

For European organizations, this vulnerability can lead to denial of service conditions in applications that parse XML using vulnerable versions of the REXML gem on Ruby 3.1. This can disrupt business-critical services, degrade performance, and increase operational costs due to resource exhaustion. Industries such as finance, healthcare, government, and telecommunications that process XML data extensively and rely on Ruby-based applications are particularly at risk. The vulnerability could be exploited remotely without authentication, potentially allowing attackers to disrupt services at scale. While it does not compromise data confidentiality or integrity, the availability impact can cause significant operational disruptions and reputational damage. Organizations using Ruby 3.2 or later are not affected, reducing the overall risk if they maintain up-to-date environments.

European organizations should immediately audit their Ruby environments to identify usage of REXML gem versions prior to 3.3.9, especially on Ruby 3.1. Upgrading the REXML gem to version 3.3.9 or later is the primary mitigation step. If upgrading is not immediately feasible, consider implementing input validation or filtering to detect and block XML inputs containing suspiciously long hex numeric character references. Employ runtime resource limits and monitoring to detect abnormal CPU usage patterns indicative of ReDoS attempts. Additionally, isolate XML parsing components behind rate limiting and web application firewalls (WAFs) configured to detect anomalous XML payloads. Encourage development teams to migrate to Ruby 3.2 or later where this vulnerability is not present. Regularly update dependencies and monitor vulnerability advisories to stay ahead of similar issues.