CVE-2024-49761: 
Ruby vulnerability analysis and mitigation

The REXML gem before version 3.3.9 contains a Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2024-49761) discovered in October 2024. The vulnerability affects the XML parsing functionality when processing hex numeric character references with many digits between '&#' and 'x...;'. This issue specifically impacts Ruby 3.1, which is the only affected maintained Ruby version, while Ruby 3.2 and later versions are not affected (Ruby Advisory).

The vulnerability exists in the XML parsing mechanism of REXML when handling hex numeric character references in the format '&#x...;'. The issue is specifically related to the character reference parsing pattern in the baseparser.rb file, which was modified from '/&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/' to '/&#((?:\d+)|(?:x[a-fA-F0-9]+));/' to address the vulnerability. The CVSS v3.1 base score is 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through Regular Expression Denial of Service (ReDoS). The vulnerability affects the availability of the system while having no impact on confidentiality or integrity (NetApp Advisory).

The primary mitigation is to upgrade the REXML gem to version 3.3.9 or later, which includes the security patch. For systems that cannot be immediately updated, a workaround is to use Ruby 3.2 or later instead of Ruby 3.1, as these versions are not affected by the vulnerability. Note that Ruby 3.1 will reach End of Life (EOL) in March 2025 (Ruby Advisory).