fastlane-2.228.0.gem: 2 vulnerabilities (highest severity is: 5.3)

[appcues-wss]

Vulnerable Library - fastlane-2.228.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (fastlane version)	Remediation Possible**
CVE-2025-58767	Medium	5.3	rexml-3.4.1.gem	Transitive	N/A*	❌
CVE-2025-14762	Medium	5.3	aws-sdk-s3-1.196.1.gem	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-58767

Vulnerable Library - rexml-3.4.1.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.4.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Dependency Hierarchy:

• fastlane-2.228.0.gem (Root Library)
  • CFPropertyList-3.0.7.gem
    • ❌ rexml-3.4.1.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

Publish Date: 2025-09-17

URL: CVE-2025-58767

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2f4-jgmc-q2r5

Release Date: 2025-09-17

Fix Resolution: rexml - 3.4.2,https://github.com/ruby/rexml.git - v3.4.2

CVE-2025-14762

Vulnerable Library - aws-sdk-s3-1.196.1.gem

Official AWS Ruby gem for Amazon Simple Storage Service (Amazon S3). This gem is part of the AWS SDK for Ruby.

Library home page: https://rubygems.org/gems/aws-sdk-s3-1.196.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Dependency Hierarchy:

• fastlane-2.228.0.gem (Root Library)
  • ❌ aws-sdk-s3-1.196.1.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.

Publish Date: 2025-12-17

URL: CVE-2025-14762

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xgq-q749-89fq

Release Date: 2025-12-17

Fix Resolution: aws-sdk-s3 - 1.208.0