Defect #43249
open
Update REXML gem to version 3.4.2 due to security vulnerability (CVE-2025-58767)
0%
Description
Greetings,
According to a security advisory from CERT-XMCO, the REXML gem is affected by a security vulnerability referenced as CVE-2025-58767. It is strongly recommended to update the REXML gem to version 3.4.2 in order to address this issue and ensure the security of the application.
Currently, Redmine 6.1.0 is using REXML version 3.3.9.
Reference: https://www.cve.org/CVERecord?id=CVE-2025-58767
Thank you for your time and consideration of this request.
Kind regards, Beladric
Updated by Pavel Rosický 2 days ago
Enforcing the new version should be done here https://github.com/SeleniumHQ/selenium/commit/f11bd82e9023a65d204f697fd1f6e67f9e750afe
Since the new REXML is allowed, you can easily update it yourself with "bundle update". selenium-webdriver is only needed for testing and can be omitted in production. However, be aware that some third-party plugins might also depend on it.
Alternatively, you can lock the new version in your Gemfile:
gem 'rexml', '~> 3.4.4'
Updated by Kilian GOËTZ 1 day ago
Hello Pavel,
Thank you very much for your quick reply and the clarifications. It seems that in my case I am not impacted by the CVE. We can therefore close this ticket.
Kind regards, Beladric.