CVE-2025-10990
Received Received - Intake
ReDoS Vulnerability in REXML Hex Character Parsing

Publication date: 2026-02-27

Last updated on: 2026-02-27

Assigner: Red Hat, Inc.

Description
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10990
EUVD
EUVD-2025-208140
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
red_hat satellite 6.17.5
red_hat satellite 6.17
red_hat satellite_capsule 6.17
red_hat enterprise_linux 9
red_hat satellite 6.16
red_hat satellite_capsule 6.16
red_hat enterprise_linux 8
red_hat satellite_client 6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in REXML where a remote attacker can exploit inefficient regular expression parsing when processing hexadecimal numeric character references in XML documents.

Specifically, the issue arises from how the system handles regex parsing of sequences like &#x...; which can be manipulated to cause excessive processing time.

This leads to a Regular Expression Denial of Service (ReDoS), meaning the affected component's availability can be disrupted by making it spend too much time processing crafted input.

The vulnerability is due to an incomplete fix for a previous related issue (CVE-2024-49761).


How can this vulnerability impact me? :

The primary impact of this vulnerability is a Denial of Service (DoS) condition caused by the inefficient regex processing.

An attacker can remotely trigger this by sending specially crafted XML documents containing hexadecimal numeric character references.

This can cause the affected component to become unavailable or unresponsive, impacting the availability of services relying on REXML.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart