ruby-advisory-db/gems/addressable/CVE-2026-35611.yml at 084d872e44ce0ed9392d81e6c3dedc4502a25f94 · rubysec/ruby-advisory-db · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
---
gem: addressable
cve: 2026-35611
ghsa: h27x-rffw-24p4
url: https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4
title: Addressable has a Regular Expression Denial of Service in
  Addressable templates
date: 2026-04-08
description: |
  ### Impact

  Within the URI template implementation in Addressable, two classes
  of URI template generate regular expressions vulnerable to
  catastrophic backtracking:

  1. Templates using the `*` (explode) modifier with any expansion
     operator (e.g., `{foo*}`, `{+var*}`, `{#var*}`, `{/var*}`,
     `{.var*}`, `{;var*}`, `{?var*}`, `{&var*}`) generate patterns
     with nested unbounded quantifiers that are O(2^n) when matched
     against a maliciously crafted URI.

  2. Templates using multiple variables with the `+` or `#` operators
     (e.g., `{+v1,v2,v3}`) generate patterns with O(n^k) complexity
     due to the comma separator being within the matched character
     class, causing ambiguous backtracking across k variables.

  When matched against a maliciously crafted URI, this can result
  in catastrophic backtracking and uncontrolled resource consumption,
  leading to denial of service. The first pattern was partially
  addressed in 2.8.10 for certain operator combinations. Both patterns
  are fully remediated in 2.9.0.

  Users of the URI parsing capabilities in Addressable but not
  the URI template matching capabilities are unaffected.

  ### Affected Versions

  This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and
  2.3.1 were yanked; the earliest installable release is 2.3.2).
  It was partially fixed in version 2.8.10 and fully remediated in 2.9.0.

  The vulnerability is more exploitable on MRI Ruby < 3.2 and on all
  versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with
  Onigmo 6.9, which introduces memoization that prevents catastrophic
  backtracking for the first class of template. JRuby and TruffleRuby
  do not implement equivalent memoization and remain vulnerable
  to all patterns.

  This has been confirmed on the following runtimes:

  | Runtime      | Status |
  |--------------|--------|
  | MRI Ruby 2.6 | Vulnerable |
  | MRI Ruby 2.7 | Vulnerable |
  | MRI Ruby 3.0 | Vulnerable |
  | MRI Ruby 3.1 | Vulnerable |
  | MRI Ruby 3.2 | Partially vulnerable |
  | MRI Ruby 3.3 | Partially vulnerable |
  | MRI Ruby 3.4 | Partially vulnerable |
  | MRI Ruby 4.0 | Partially vulnerable |
  | JRuby 10.0   | Vulnerable |
  | TruffleRuby 21.2 | Vulnerable |

  ### Workarounds

  - **Upgrade to MRI Ruby 3.2 or later**, if your application does
    not use JRuby or TruffleRuby. The Onigmo memoization introduced
    in MRI Ruby 3.2 prevents catastrophic backtracking from nested
    unbounded quantifiers (pattern 1 above — templates using the `*`
    modifier). It does not reliably mitigate the O(n^k) multi-variable
    case (pattern 2), so upgrading Ruby alone may not be sufficient
    if your templates use `{+v1,v2,...}` or `{#v1,v2,...}` syntax.

  - **Avoid using vulnerable template patterns** when matching
    user-supplied input on unpatched versions of the library:

    - Templates using the `*` (explode) modifier: `{foo*}`, `{+var*}`,
      `{#var*}`, `{.var*}`, `{/var*}`, `{;var*}`, `{?var*}`, `{&var*}`

    - Templates using multiple variables with the `+` or `#`
      operators: `{+v1,v2}`, `{#v1,v2,v3}`, etc.

  - **Apply a short timeout** around any call to `Template#match`
    or `Template#extract` that processes user-supplied data.

  ### Credits

  Discovered in collaboration with @jamfish.

  ### For more information

  If you have any questions or comments about this advisory:
  * [Open an issue](https://github.com/sporkmonger/addressable/issues)
cvss_v3: 7.5
unaffected_versions:
  - "< 2.3.0"
patched_versions:
  - ">= 2.9.0"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-35611
    - https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4
    - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
    - https://cwe.mitre.org/data/definitions/1333.html
    - https://www.regular-expressions.info/catastrophic.html
    - https://github.com/advisories/GHSA-h27x-rffw-24p4