CVE-2025-10990
Received Received - Intake
ReDoS Vulnerability in REXML Hex Character Parsing

Publication date: 2026-02-27

Last updated on: 2026-02-27

Assigner: Red Hat, Inc.

Description
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10990
EUVD
EUVD-2025-208140
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
red_hat satellite 6.17.5
red_hat satellite 6.17
red_hat satellite_capsule 6.17
red_hat enterprise_linux 9
red_hat satellite 6.16
red_hat satellite_capsule 6.16
red_hat enterprise_linux 8
red_hat satellite_client 6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in REXML where a remote attacker can exploit inefficient regular expression parsing when processing hexadecimal numeric character references in XML documents.

Specifically, the issue arises from how the system handles regex parsing of sequences like &#x...; which can be manipulated to cause excessive processing time.

This leads to a Regular Expression Denial of Service (ReDoS), meaning the affected component's availability can be disrupted by making it spend too much time processing crafted input.

The vulnerability is due to an incomplete fix for a previous related issue (CVE-2024-49761).

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition caused by the inefficient regex processing.

An attacker can remotely trigger this by sending specially crafted XML documents containing hexadecimal numeric character references.

This can cause the affected component to become unavailable or unresponsive, impacting the availability of services relying on REXML.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart