DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33169: CVE-2026-33169: Regular Expression Denial of Service (ReDoS) in ActiveSupport Number Formatting

#security #cve #cybersecurity

CVE-2026-33169: Regular Expression Denial of Service (ReDoS) in ActiveSupport Number Formatting

Vulnerability ID: CVE-2026-33169
CVSS Score: 6.9
Published: 2026-03-23

CVE-2026-33169 is a Regular Expression Denial of Service (ReDoS) vulnerability in the ActiveSupport component of Ruby on Rails. The flaw exists within the NumberToDelimitedConverter class, where an inefficient regular expression used for formatting numeric strings exhibits quadratic time complexity. An attacker can trigger this vulnerability by supplying excessively long numeric strings, leading to CPU exhaustion and application denial of service.

TL;DR

A ReDoS vulnerability in Rails ActiveSupport number_to_delimited allows unauthenticated attackers to exhaust server CPU resources via excessively long numeric inputs, causing denial of service.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1333, CWE-400
  • Attack Vector: Network
  • CVSS 4.0: 6.9
  • Impact: Denial of Service (DoS)
  • Exploit Status: PoC (Payload generation is trivial)
  • KEV Status: Not Listed

Affected Systems

  • Ruby on Rails
  • ActiveSupport
  • activesupport: < 7.2.3.1
  • activesupport: >= 8.0.0.beta1, < 8.0.4.1
  • activesupport: >= 8.1.0.beta1, < 8.1.2.1

Code Analysis

Commit: ec1a0e2

Fix ReDoS in number_to_delimited by replacing gsub! with manual string slicing for the default pattern.

Commit: 29154f1

Additional related commit for CVE-2026-33169 remediation.

Commit: b54a4b3

Additional related commit for CVE-2026-33169 remediation.

Mitigation Strategies

  • Upgrade activesupport to a patched version
  • Implement strict input length validation for all numeric fields
  • Avoid passing user-controlled delimiter patterns to number formatting helpers

Remediation Steps:

  1. Identify all projects using the affected versions of the rails and activesupport gems.
  2. Update the Gemfile to require activesupport >= 7.2.3.1 for 7.x branches, >= 8.0.4.1 for 8.0 branches, or >= 8.1.2.1 for 8.1 branches.
  3. Execute bundle update activesupport to apply the changes.
  4. Audit the codebase for any custom locales or explicit calls to number_to_delimited that pass a custom :delimiter_pattern.
  5. Verify that custom patterns do not employ excessive backtracking or nested lookaheads.

References

Read the full report for CVE-2026-33169 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)