-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-33169.yml
More file actions
29 lines (28 loc) · 1.17 KB
/
CVE-2026-33169.yml
File metadata and controls
29 lines (28 loc) · 1.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
gem: activesupport
framework: rails
cve: 2026-33169
ghsa: cg4j-q9v8-6v38
url: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
title: Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
date: 2026-03-23
description: |
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters.
This could produce quadratic time complexity on long digit strings.
### Releases
The fixed releases are available at the normal locations.
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
- ">= 8.1.2.1"
related:
url:
- https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
- https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
- https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
- https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/advisories/GHSA-cg4j-q9v8-6v38