Issue #21632 has been reported by Bo98 (Bo Anderson). ---------------------------------------- Bug #21632: Backport REXML CVE-2025-58767 fix https://bugs.ruby-lang.org/issues/21632 * Author: Bo98 (Bo Anderson) * Status: Open * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- Even though it's a bundled gem and not a default gem, it would be worthwhile backporting the fix for CVE-2025-58767 (https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/). Ruby 3.4 PR: https://github.com/ruby/ruby/pull/14795 Ruby 3.3 PR: https://github.com/ruby/ruby/pull/14796 I'm not sure what to do for Ruby 3.2. It's a security fix so it qualifies for a backport, but there's other changes included in a version bump. Do we need a rexml 3.3.9.1? -- https://bugs.ruby-lang.org/