Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or
operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
AnalysisAI
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or
operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.
Technical ContextAI
Addressable is a widely-used Ruby gem providing URI handling capabilities as an alternative to Ruby's standard library URI implementation. The vulnerability resides in the URI template expansion mechanism (RFC 6570), specifically in how the library generates regular expressions for template matching. Two distinct flaws exist: first, templates using the explode modifier (*) with any expansion operator create regex patterns with nested unbounded quantifiers, resulting in exponential time complexity O(2^n) during backtracking. Second, templates with multiple variables using reserved character operators (+ or #) generate patterns where the comma separator falls within the matched character class, creating ambiguous backtracking states across k variables with O(n^k) complexity. This is classified as CWE-1333 (Inefficient Regular Expression Complexity), a common ReDoS vulnerability class where algorithmic complexity in regex engines can be weaponized. The affected CPE (cpe:2.3:a:sporkmonger:addressable) encompasses all versions from 2.3.0 to pre-2.9.0, impacting any Ruby application using Addressable for URI template processing, particularly web frameworks, API clients, and URL routing systems.
RemediationAI
Upgrade Addressable to version 2.9.0 or later, which contains the vendor-released patch addressing both catastrophic backtracking vulnerabilities in URI template regular expression generation. For Ruby applications using Bundler, update the Gemfile to specify addressable version constraint ~> 2.9.0 or >= 2.9.0, then run bundle update addressable to apply the fix. If immediate upgrade is not feasible, implement workarounds including input validation to reject URIs exceeding reasonable length thresholds (e.g., 2048 characters), applying timeout constraints to URI template expansion operations, or avoiding use of URI templates with explode modifiers and multi-variable reserved operators on untrusted input. Review application code to identify URI template usage patterns, particularly in API routing, URL generation, or proxy functionality. Consult the GitHub Security Advisory at https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4 for detailed technical context and vendor recommendations. Test thoroughly after upgrade to ensure compatibility with application-specific URI handling logic.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19788
GHSA-h27x-rffw-24p4