Add advisory for CVE-2025-58767 (DoS vulnerability in REXML) (#937)

hudakh · web-flow · commit 413001ab4bc1 · 2025-12-23T18:04:36.000-08:00
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -39,5 +39,6 @@ This database would not be possible without volunteers willing to submit pull re
 * [Florian Wininger](https://github.com/fwininger)
 * [Al Snow](https://github.com/jasnow)
 * [Adrian Hirt](https://github.com/Adrian-Hirt)
+* [Huda Kharrufa](https://github.com/hudakh)
 
 The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).
diff --git a/rubies/ruby/CVE-2025-58767.yml b/rubies/ruby/CVE-2025-58767.yml
@@ -0,0 +1,24 @@
+---
+engine: ruby
+cve: 2025-58767
+url: https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/
+title: DoS vulnerability in REXML
+date: 2025-09-18
+description: |
+  REXML has a DoS condition when parsing malformed XML file
+
+  REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing
+  XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these
+  vulnerabilities.
+  The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
+
+patched_versions:
+  - ">= 3.4.8"
+related:
+  url:
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml
+    - https://www.cve.org/CVERecord?id=CVE-2025-58767
+    - https://www.ruby-lang.org/en/news/2025/12/17/ruby-3-4-8-released/
+    - https://bugs.ruby-lang.org/issues/21632
+notes: |
+  Ruby 3.3 and 3.2 have PRs to backport the fix but new versions haven't been released yet.
