Skip to content

vonage-7.29.1.gem: 1 vulnerabilities (highest severity is: 5.3) #118

New issue
New issue
Open
Open
vonage-7.29.1.gem: 1 vulnerabilities (highest severity is: 5.3)#118
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Sep 19, 2025
Vulnerable Library - vonage-7.29.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/rexml-3.4.1.gem

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (vonage version) Remediation Possible** Reachability
CVE-2025-58767 Medium 5.3 Not Defined 0.0% rexml-3.4.1.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-58767

Vulnerable Library - rexml-3.4.1.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.4.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/rexml-3.4.1.gem

Dependency Hierarchy:

  • vonage-7.29.1.gem (Root Library)
    • rexml-3.4.1.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

Publish Date: 2025-09-17

URL: CVE-2025-58767

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2f4-jgmc-q2r5

Release Date: 2025-09-17

Fix Resolution: https://github.com/ruby/rexml.git - v3.4.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions