CVE-2025-10990

Summary

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x…;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.

Affected Software

VendorProductVersion RangeStatus
6.17.5unaffected
6.16.5.4unaffected
Red HatRed Hat Satellite 6.16 for RHEL 80:8.8.1-3.el8sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 80:8.8.1-3.el8sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 90:8.8.1-3.el9sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 90:8.8.1-3.el9sat < *unaffected
Red HatRed Hat Satellite 6.17 for RHEL 90:8.8.1-3.el9sat < *unaffected
Red HatRed Hat Satellite 6.17 for RHEL 90:8.8.1-3.el9sat < *unaffected
Red HatSatellite Client 6 for RHEL 80:7.34.0-4.el8sat < *unaffected
Red HatSatellite Client 6 for RHEL 90:7.34.0-4.el9sat < *unaffected

Weaknesses

  • CWE-1333: Inefficient Regular Expression Complexity

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References