Security: CVE-2025-58767 via `rexml` 3.3.9 dependency

[jigar-shah-acquia]

Description

Hello Team,

We’ve encountered a security issue related to a transitive dependency used by overcommit.

The Ruby gem rexml version 3.3.9 is affected by CVE-2025-58767, and this version is currently pulled in through existing dependency constraints.

Current observations:

• The last overcommit release was approximately 7 months ago
• There is no released version that updates or mitigates the vulnerable rexml dependency

As a result, downstream users are unable to fully remediate the CVE without maintaining custom forks.

Request

Could you please advise:

1. Whether there is a planned release to address this CVE
2. If dependency constraints can be updated to allow a patched version of rexml
3. Any recommended mitigation steps for users until an update is available