The ruby-security team have published an advisory about a DoS bug affecting REXML users. Most rails applications will be affected by this vulnerability and you’re strongly advised to take the mitigating steps recommended in the advisory.
The announcement contains details describing the monkeypatch solution, but to summarise:
Versions 2.0.2 and earlier Copy the fix file into RAILS_ROOT/lib Require the file from environment.rb require ‘rexml-expansion-fix’ Versions 2.1.0 and edgeCopy the fix file into RAILS_ROOT/config/initializers, it will be required automatically.
The fix will be made available as a gem in the next 24 hours to aid distribution, this post will be updated with revised upgrade instructions at that time. If you wish to access the gem early you can build it for yourself from the source. After installing the gem you should require it from environment.rb. The fix file and the gem are identical.
by Genís