CVE-2025-10990 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-10990 PUBLISHED CVSS 7.5 HIGH

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.

EPSS 0.15% · 34.9th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.15%

34.9th percentile

Affected Products

Vendor	Product	Versions
Red Hat	Satellite Client 6 for RHEL 8	0:7.34.0-4.el8sat, 0:7.34.0-4.el8sat, 0:7.34.0-4.el8sat
Red Hat	Red Hat Satellite 6.16 for RHEL 8	0:8.8.1-3.el8sat, 0:8.8.1-3.el8sat, 0:8.8.1-3.el8sat
		6.17.5, 6.17.5, 6.16.5.4
Red Hat	Satellite Client 6 for RHEL 9	0:7.34.0-4.el9sat, 0:7.34.0-4.el9sat, 0:7.34.0-4.el9sat
Red Hat	Red Hat Satellite 6.16 for RHEL 9	0:8.8.1-3.el9sat, 0:8.8.1-3.el9sat, 0:8.8.1-3.el9sat
Red Hat	Red Hat Satellite 6.17 for RHEL 9	0:8.8.1-3.el9sat, 0:8.8.1-3.el9sat, 0:8.8.1-3.el9sat

Timeline

Sep 25, 2025 CVE ID Reserved
Feb 27, 2026 CVE Published
Feb 27, 2026 CVE Updated
Feb 28, 2026 EPSS Score
Feb 28, 2026 PoC Published
Mar 1, 2026 EPSS Score
Mar 2, 2026 EPSS Score
Mar 2, 2026 Distribution Patch
Mar 2, 2026 Distribution Patch
Mar 2, 2026 Distribution Patch
Mar 2, 2026 Security Advisory
Mar 2, 2026 Security Advisory

References

RHSA-2025:17606 vendor-advisory
RHSA-2025:17613 vendor-advisory
RHSA-2025:17693 vendor-advisory
https://access.redhat.com/security/cve/CVE-2025-10990 vdb
RHBZ#2398216 issue
https://nvd.nist.gov/vuln/detail/CVE-2025-10990 advisory

Open in Interactive Console →