Bug 2396186 (CVE-2025-58767)

Summary: CVE-2025-58767 rexml: REXML denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, amasferr, anthomas, cbartlet, crizzo, dmayorov, eglynn, ehelms, ggainey, jcantril, jjoyce, jlledo, jschluet, juwatts, jvasik, kaycoth, lhh, lsvaty, mburns, mgarciac, mhulan, mkudlej, mmakovy, nmoumoul, osousa, pantinor, pcreech, pgrist, rblanco, rchan, rojacob, smallamp, tjochec, tmalecek, tsedmik, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service flaw has been discovered in the rubygem REXML. Certain input can cause excess cpu usage and given sufficiently large input this can affect program performance.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2396203, 2396204, 2413064    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-17 18:01:56 UTC 
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
Comment 6 errata-xmlrpc 2025-12-10 17:41:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:23063 https://access.redhat.com/errata/RHSA-2025:23063
Comment 7 errata-xmlrpc 2025-12-10 18:18:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:23062 https://access.redhat.com/errata/RHSA-2025:23062
Comment 8 errata-xmlrpc 2025-12-11 18:41:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:23140 https://access.redhat.com/errata/RHSA-2025:23140
Comment 9 errata-xmlrpc 2025-12-11 19:41:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:23141 https://access.redhat.com/errata/RHSA-2025:23141