CVE-2025-10990 is a vulnerability identified in the REXML library, a Ruby-based XML parser widely used in various applications for XML document processing. The flaw arises from inefficient regular expression handling when parsing hex numeric character references (e.g., &#x...;) within XML content. Specifically, the regex used to process these references exhibits excessive backtracking or complexity, which can be exploited by a crafted XML input to cause a Regular Expression Denial of Service (ReDoS). This results in the parser consuming excessive CPU resources, leading to degraded performance or complete unavailability of the service relying on REXML. The vulnerability is a regression or incomplete remediation of a prior issue (CVE-2024-49761), indicating that the fix applied earlier did not fully address the underlying regex inefficiency. The CVSS v3.1 score of 7.5 reflects a high severity, with an attack vector that is network accessible (AV:N), requires no privileges (PR:N), and no user interaction (UI:N). The impact is solely on availability (A:H), with no confidentiality or integrity loss. No patches or exploits are currently documented, but the risk remains significant due to the ease of exploitation and potential for service disruption in applications processing untrusted XML data.

The primary impact of CVE-2025-10990 is on the availability of systems using the REXML library for XML parsing. An attacker can remotely send malicious XML documents containing crafted hex numeric character references that trigger the inefficient regex, causing excessive CPU consumption and potential service outages. This can disrupt web services, APIs, or any backend systems relying on REXML, leading to denial of service conditions. Organizations that process large volumes of XML data or expose XML parsing functionality to untrusted sources are particularly vulnerable. While confidentiality and integrity are not directly affected, the availability impact can have cascading effects on business operations, customer trust, and compliance with service level agreements. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat surface. Critical infrastructure, financial services, and cloud providers using REXML may face operational disruptions if targeted.

To mitigate CVE-2025-10990, organizations should monitor for and apply official patches or updates to the REXML library as soon as they become available. In the absence of patches, consider implementing input validation to reject or sanitize XML documents containing suspicious or excessive hex numeric character references. Employ resource limiting techniques such as CPU timeouts, request rate limiting, and sandboxing XML parsing operations to prevent resource exhaustion. Where feasible, replace REXML with alternative XML parsers that do not exhibit this regex inefficiency. Additionally, implement network-level protections like web application firewalls (WAFs) to detect and block malformed XML payloads. Regularly audit and review XML processing code to ensure robust error handling and resilience against ReDoS attacks. Finally, maintain comprehensive monitoring and alerting on system performance metrics to detect early signs of exploitation attempts.