Skip to content

jekyll-feed-0.17.0.gem: 1 vulnerabilities (highest severity is: 5.3) #56

New issue
New issue
Open
Open
jekyll-feed-0.17.0.gem: 1 vulnerabilities (highest severity is: 5.3)#56
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 19, 2025
Vulnerable Library - jekyll-feed-0.17.0.gem

Path to dependency file: /web/Gemfile.lock

Path to vulnerable library: /web/vendor/cache/rexml-3.3.9.gem

Found in HEAD commit: c27524e670d3ab98f2167091ca55e4795d6dd6c8

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (jekyll-feed version) Remediation Possible**
CVE-2025-58767 Medium 5.3 rexml-3.3.9.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-58767

Vulnerable Library - rexml-3.3.9.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.3.9.gem

Path to dependency file: /web/Gemfile.lock

Path to vulnerable library: /web/vendor/cache/rexml-3.3.9.gem

Dependency Hierarchy:

  • jekyll-feed-0.17.0.gem (Root Library)
    • jekyll-3.9.5.gem
      • kramdown-2.4.0.gem
        • rexml-3.3.9.gem (Vulnerable Library)

Found in HEAD commit: c27524e670d3ab98f2167091ca55e4795d6dd6c8

Found in base branch: main

Vulnerability Details

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

Publish Date: 2025-09-17

URL: CVE-2025-58767

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2f4-jgmc-q2r5

Release Date: 2025-09-17

Fix Resolution: rexml - 3.4.2,https://github.com/ruby/rexml.git - v3.4.2

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions