Skip to content

activesupport vulnerable to Denial of Service via large XML document depth

Moderate severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Mar 31, 2025

Package

bundler activesupport (RubyGems)

Affected versions

>= 4.0.0.beta1, < 4.1.11
>= 4.2.0.beta1, < 4.2.2
< 3.2.22

Patched versions

4.1.11
4.2.2
3.2.22

Description

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Mar 31, 2025

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(78th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2015-3227

GHSA ID

GHSA-j96r-xvjq-r9pg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.