Add advisory for CVE-2025-58767 (DoS vulnerability in REXML)

huda-kh · huda-kh · commit f2af530f83d7 · 2025-12-17T13:45:34.000+10:30
diff --git a/rubies/ruby/CVE-2025-58767.yml b/rubies/ruby/CVE-2025-58767.yml
@@ -0,0 +1,26 @@
+---
+engine: ruby
+cve: 2025-58767
+url: https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/
+title: DoS vulnerability in REXML
+date: 2025-09-18
+description: |
+  REXML has a DoS condition when parsing malformed XML file
+
+  REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing
+  XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these
+  vulnerabilities.
+  The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
+
+patched_versions:
+  - ">= 3.2.10"
+  - ">= 3.3.11"
+  - ">= 3.4.8"
+related:
+  url:
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml
+    - https://www.cve.org/CVERecord?id=CVE-2025-58767
+    - https://www.ruby-lang.org/en/news/2025/12/17/ruby-3-4-8-released/
+    - https://bugs.ruby-lang.org/issues/21632
+notes: |
+  Ruby 3.3 and 3.2 have PRs to backport the fix but new versions haven't been released yet.
