DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33176: CVE-2026-33176: Denial of Service via Scientific Notation in Rails Active Support Number Helpers

#security #cve #cybersecurity

CVE-2026-33176: Denial of Service via Scientific Notation in Rails Active Support Number Helpers

Vulnerability ID: CVE-2026-33176
CVSS Score: 6.6
Published: 2026-03-23

A medium-severity Denial of Service (DoS) vulnerability exists in the Active Support component of Ruby on Rails. Unsanitized string inputs containing scientific notation cause excessive memory allocation and CPU consumption during BigDecimal formatting operations, resulting in application resource exhaustion.

TL;DR

Rails Active Support number helpers are vulnerable to DoS attacks due to unbounded memory expansion when processing scientific notation strings into BigDecimals.

Technical Details

  • CWE ID: CWE-400, CWE-770
  • Attack Vector: Network
  • CVSS v4.0: 6.6 (Medium)
  • Impact: Denial of Service (Availability: High)
  • Exploit Status: None
  • CISA KEV: Not Listed

Affected Systems

  • Ruby on Rails Active Support
  • Rails 8.1
  • Rails 8.0
  • Rails 7.2
  • activesupport: >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)
  • activesupport: >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • activesupport: < 7.2.3.1 (Fixed in: 7.2.3.1)

Code Analysis

Commit: 19dbab5

Fix DoS vulnerability in Active Support number helpers

Commit: ebd6be1

Backport fix for DoS in Active Support to 8.0

Commit: ee2c59e

Backport fix for DoS in Active Support to 7.2

Mitigation Strategies

  • Upgrade the Active Support gem to a patched version (8.1.2.1, 8.0.4.1, 7.2.3.1).
  • Implement application-level input validation to reject scientific notation in user-provided numerical parameters.
  • Apply wrapper methods around Active Support number helpers to sanitize inputs prior to execution.

Remediation Steps:

  1. Identify all instances where user-controlled input is passed to Active Support number helpers.
  2. Update the Rails framework dependency in the project's Gemfile.
  3. Execute bundle update activesupport to fetch the patched versions.
  4. Run the application test suite to ensure no regressions occur with the updated validation logic.
  5. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-33176 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)