CVE-2025-10990 PUBLISHED

Rexml: rexml: denial of service via inefficient regex parsing

Assigner: redhat
Reserved: 25.09.2025 Published: 27.02.2026 Updated: 27.02.2026

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Package Collection https://www.redhat.com/en/technologies/management/satellite
Package Name Red Hat Satellite
Versions Default: unaffected
  • Version 6.17.5 is unaffected
  • Version 6.16.5.4 is unaffected
Vendor Red Hat
Product Red Hat Satellite 6.16 for RHEL 8
Versions Default: affected
  • unaffected from 0:8.8.1-3.el8sat to * (excl.)
Vendor Red Hat
Product Red Hat Satellite 6.16 for RHEL 8
Versions Default: affected
  • unaffected from 0:8.8.1-3.el8sat to * (excl.)
Vendor Red Hat
Product Red Hat Satellite 6.16 for RHEL 9
Versions Default: affected
  • unaffected from 0:8.8.1-3.el9sat to * (excl.)
Vendor Red Hat
Product Red Hat Satellite 6.16 for RHEL 9
Versions Default: affected
  • unaffected from 0:8.8.1-3.el9sat to * (excl.)
Vendor Red Hat
Product Red Hat Satellite 6.17 for RHEL 9
Versions Default: affected
  • unaffected from 0:8.8.1-3.el9sat to * (excl.)
Vendor Red Hat
Product Red Hat Satellite 6.17 for RHEL 9
Versions Default: affected
  • unaffected from 0:8.8.1-3.el9sat to * (excl.)
Vendor Red Hat
Product Satellite Client 6 for RHEL 8
Versions Default: affected
  • unaffected from 0:7.34.0-4.el8sat to * (excl.)
Vendor Red Hat
Product Satellite Client 6 for RHEL 9
Versions Default: affected
  • unaffected from 0:7.34.0-4.el9sat to * (excl.)

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

References

Problem Types

  • Inefficient Regular Expression Complexity CWE