Skip to main content

Red Hat CVE-2026-35611

| EUVDEUVD-2026-19788 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-04-07 GitHub_M GHSA-h27x-rffw-24p4
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2026-19788
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 16:38 nvd
HIGH 7.5

DescriptionGitHub Advisory

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or

operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.

AnalysisAI

Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or

operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.

Technical ContextAI

Addressable is a widely-used Ruby gem providing URI handling capabilities as an alternative to Ruby's standard library URI implementation. The vulnerability resides in the URI template expansion mechanism (RFC 6570), specifically in how the library generates regular expressions for template matching. Two distinct flaws exist: first, templates using the explode modifier (*) with any expansion operator create regex patterns with nested unbounded quantifiers, resulting in exponential time complexity O(2^n) during backtracking. Second, templates with multiple variables using reserved character operators (+ or #) generate patterns where the comma separator falls within the matched character class, creating ambiguous backtracking states across k variables with O(n^k) complexity. This is classified as CWE-1333 (Inefficient Regular Expression Complexity), a common ReDoS vulnerability class where algorithmic complexity in regex engines can be weaponized. The affected CPE (cpe:2.3:a:sporkmonger:addressable) encompasses all versions from 2.3.0 to pre-2.9.0, impacting any Ruby application using Addressable for URI template processing, particularly web frameworks, API clients, and URL routing systems.

RemediationAI

Upgrade Addressable to version 2.9.0 or later, which contains the vendor-released patch addressing both catastrophic backtracking vulnerabilities in URI template regular expression generation. For Ruby applications using Bundler, update the Gemfile to specify addressable version constraint ~> 2.9.0 or >= 2.9.0, then run bundle update addressable to apply the fix. If immediate upgrade is not feasible, implement workarounds including input validation to reject URIs exceeding reasonable length thresholds (e.g., 2048 characters), applying timeout constraints to URI template expansion operations, or avoiding use of URI templates with explode modifiers and multi-variable reserved operators on untrusted input. Review application code to identify URI template usage patterns, particularly in API routing, URL generation, or proxy functionality. Consult the GitHub Security Advisory at https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4 for detailed technical context and vendor recommendations. Test thoroughly after upgrade to ensure compatibility with application-specific URI handling logic.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.3 Fixed

Share

CVE-2026-35611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy