CVE-2025-10990

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:17606
https://access.redhat.com/errata/RHSA-2025:17613
https://access.redhat.com/errata/RHSA-2025:17693
https://access.redhat.com/security/cve/CVE-2025-10990
https://bugzilla.redhat.com/show_bug.cgi?id=2398216

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en REXML. Un atacante remoto podría explotar el análisis ineficiente de expresiones regulares (regex) al procesar referencias de caracteres numéricos hexadecimales (&#x...;) en documentos XML. Esto podría conducir a una Denegación de Servicio por Expresiones Regulares (ReDoS), impactando la disponibilidad del componente afectado. Este problema es el resultado de una corrección incompleta para CVE-2024-49761.

27 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 14:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-10990

Mitre link : CVE-2025-10990

CVE.ORG link : CVE-2025-10990

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10