From 64506e2811323375651d94f18c4ed94460e182c3 Mon Sep 17 00:00:00 2001 From: Huda Date: Wed, 17 Dec 2025 13:45:34 +1030 Subject: [PATCH 1/2] Add advisory for CVE-2025-58767 (DoS vulnerability in REXML) --- rubies/ruby/CVE-2025-58767.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rubies/ruby/CVE-2025-58767.yml diff --git a/rubies/ruby/CVE-2025-58767.yml b/rubies/ruby/CVE-2025-58767.yml new file mode 100644 index 0000000000..12f006730a --- /dev/null +++ b/rubies/ruby/CVE-2025-58767.yml @@ -0,0 +1,26 @@ +--- +engine: ruby +cve: 2025-58767 +url: https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ +title: DoS vulnerability in REXML +date: 2025-09-18 +description: | + REXML has a DoS condition when parsing malformed XML file + + REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing + XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these + vulnerabilities. + The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities. + +patched_versions: + - ">= 3.2.10" + - ">= 3.3.11" + - ">= 3.4.8" +related: + url: + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml + - https://www.cve.org/CVERecord?id=CVE-2025-58767 + - https://www.ruby-lang.org/en/news/2025/12/17/ruby-3-4-8-released/ + - https://bugs.ruby-lang.org/issues/21632 +notes: | + Ruby 3.3 and 3.2 have PRs to backport the fix but new versions haven't been released yet. From 17bb4c0f48f61b0d0eb0fe220b818ad763a601bb Mon Sep 17 00:00:00 2001 From: Huda Date: Wed, 17 Dec 2025 13:58:20 +1030 Subject: [PATCH 2/2] Add self to list of contributors --- CONTRIBUTORS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 765cdd3810..68e06d6a9e 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -39,5 +39,6 @@ This database would not be possible without volunteers willing to submit pull re * [Florian Wininger](https://github.com/fwininger) * [Al Snow](https://github.com/jasnow) * [Adrian Hirt](https://github.com/Adrian-Hirt) +* [Huda Kharrufa](https://github.com/hudakh) The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).