CVE-2026-33169 PUBLISHED

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 23.03.2026 Updated: 24.03.2026

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. NumberToDelimitedConverter uses a lookahead-based regular expression with gsub! to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and gsub! can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor rails
Product activesupport
Versions
  • Version >= 8.1.0.beta1, < 8.1.2.1 is affected
  • Version >= 8.0.0.beta1, < 8.0.4.1 is affected
  • Version < 7.2.3.1 is affected

References

Problem Types

  • CWE-400: Uncontrolled Resource Consumption CWE
  • CWE-1333: Inefficient Regular Expression Complexity CWE