CVE-2025-10990
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x…;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
6.17.5 | unaffected | ||
6.16.5.4 | unaffected | ||
| Red Hat | Red Hat Satellite 6.16 for RHEL 8 | 0:8.8.1-3.el8sat < * | unaffected |
| Red Hat | Red Hat Satellite 6.16 for RHEL 8 | 0:8.8.1-3.el8sat < * | unaffected |
| Red Hat | Red Hat Satellite 6.16 for RHEL 9 | 0:8.8.1-3.el9sat < * | unaffected |
| Red Hat | Red Hat Satellite 6.16 for RHEL 9 | 0:8.8.1-3.el9sat < * | unaffected |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:8.8.1-3.el9sat < * | unaffected |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | 0:8.8.1-3.el9sat < * | unaffected |
| Red Hat | Satellite Client 6 for RHEL 8 | 0:7.34.0-4.el8sat < * | unaffected |
| Red Hat | Satellite Client 6 for RHEL 9 | 0:7.34.0-4.el9sat < * | unaffected |
Weaknesses
- CWE-1333: Inefficient Regular Expression Complexity
Workarounds
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2025:17606
- https://access.redhat.com/errata/RHSA-2025:17613
- https://access.redhat.com/errata/RHSA-2025:17693
- https://access.redhat.com/security/cve/CVE-2025-10990
- https://bugzilla.redhat.com/show_bug.cgi?id=2398216
- https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
- https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.