Here is a security announcement for the REXML library (links by me) in the Ruby news:

There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications will be vulnerable to this attack.

Impact

An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
 <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
 <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
 <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
 <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
 <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
 <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
 <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

M. Koziarski provides a Rails-specific solution to the problem:

The announcement contains details describing a monkeypatch which can
be applied to prevent the risk.  These instructions are reproduced
below with more rails specific information:

** Versions 2.0.2 and earlier

# Copy the fix file into RAILS_ROOT/lib
# Require the file from environment.rb require 'rexml-expansion-fix'

** Versions 2.1.0 and edge

Copy the fix file into RAILS_ROOT/config/initializers, it will berequired automatically.

There is also a gem available which includes the fix file:

gem install rexml-expansion-fix

Once that command has completed add the following line to the bottom
of your environment.rb file:

require 'rexml-expansion-fix'