Red Hat CVE-2026-33169
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.
Releases
The fixed releases are available at the normal locations.
AnalysisAI
A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.
Technical ContextAI
The vulnerability resides in the NumberToDelimitedConverter component of Ruby on Rails' ActiveSupport library (pkg:rubygems/activesupport), which provides utility functions for number formatting including the insertion of thousands separators. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption), specifically a regex denial of service (ReDoS) condition where the gsub! method with a poorly optimized regular expression exhibits catastrophic backtracking behavior on certain input patterns. When processing long strings of digits, the regex engine enters a state of exponential time complexity, consuming CPU resources proportionally to the square of the input length rather than linearly. This occurs because the regex pattern used for delimiter insertion does not properly handle the alternation and quantifiers in a way that prevents backtracking on non-matching portions of extended numeric strings.
RemediationAI
Immediately upgrade Ruby on Rails to version 7.2.3.1, 8.0.4.1, 8.1.2.1, or later, depending on your current release branch. The patches are available from the official Rails releases at https://github.com/rails/rails/releases and have been committed to the main repository (see commits 29154f1097da13d48fdb3200760b3e3da66dcb11, b54a4b373c6f042cab6ee2033246b1c9ecc38974, and ec1a0e215efd27a3b3911aae6df978a80f456a49). For applications unable to upgrade immediately, implement input validation to reject excessively long numeric strings before they reach the NumberToDelimitedConverter, and consider rate-limiting or request size restrictions at the application or reverse proxy level to mitigate ReDoS exploitation. Consult the GitHub advisory at https://github.com/advisories/GHSA-cg4j-q9v8-6v38 for complete details and version mapping.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP1 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP2 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP3 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today