Skip to main content

Red Hat CVE-2026-33169

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-23 https://github.com/rails/rails
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:00 vuln.today
Patch released
Mar 23, 2026 - 21:00 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:52 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.

Technical ContextAI

The vulnerability resides in the NumberToDelimitedConverter component of Ruby on Rails' ActiveSupport library (pkg:rubygems/activesupport), which provides utility functions for number formatting including the insertion of thousands separators. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption), specifically a regex denial of service (ReDoS) condition where the gsub! method with a poorly optimized regular expression exhibits catastrophic backtracking behavior on certain input patterns. When processing long strings of digits, the regex engine enters a state of exponential time complexity, consuming CPU resources proportionally to the square of the input length rather than linearly. This occurs because the regex pattern used for delimiter insertion does not properly handle the alternation and quantifiers in a way that prevents backtracking on non-matching portions of extended numeric strings.

RemediationAI

Immediately upgrade Ruby on Rails to version 7.2.3.1, 8.0.4.1, 8.1.2.1, or later, depending on your current release branch. The patches are available from the official Rails releases at https://github.com/rails/rails/releases and have been committed to the main repository (see commits 29154f1097da13d48fdb3200760b3e3da66dcb11, b54a4b373c6f042cab6ee2033246b1c9ecc38974, and ec1a0e215efd27a3b3911aae6df978a80f456a49). For applications unable to upgrade immediately, implement input validation to reject excessively long numeric strings before they reach the NumberToDelimitedConverter, and consider rate-limiting or request size restrictions at the application or reverse proxy level to mitigate ReDoS exploitation. Consult the GitHub advisory at https://github.com/advisories/GHSA-cg4j-q9v8-6v38 for complete details and version mapping.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP4 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP5 Fixed
SUSE Linux Enterprise High Availability Extension 15 Fixed

Share

CVE-2026-33169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy