{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33169", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-23T23:07:07.630Z", "dateUpdated": "2026-03-24T15:46:43.465Z"}, "containers": {"cna": {"title": "Rails Active Support has a possible ReDoS vulnerability in number_to_delimited", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"}, {"name": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11"}, {"name": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974"}, {"name": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}], "affected": [{"vendor": "rails", "product": "activesupport", "versions": [{"version": ">= 8.1.0.beta1, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0.beta1, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:19:24.387Z"}, "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-cg4j-q9v8-6v38", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:45:49.354964Z", "id": "CVE-2026-33169", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:46:43.465Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33169", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:45:49.354964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:46:31.895Z"}}], "cna": {"title": "Rails Active Support has a possible ReDoS vulnerability in number_to_delimited", "source": {"advisory": "GHSA-cg4j-q9v8-6v38", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "rails", "product": "activesupport", "versions": [{"status": "affected", "version": ">= 8.1.0.beta1, < 8.1.2.1"}, {"status": "affected", "version": ">= 8.0.0.beta1, < 8.0.4.1"}, {"status": "affected", "version": "< 7.2.3.1"}]}], "references": [{"url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38", "name": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11", "name": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974", "name": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49", "name": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:19:24.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33169", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:46:43.465Z", "dateReserved": "2026-03-17T21:17:08.888Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T23:07:07.630Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9DC6CB9-DC6C-4CBB-9806-3936ADBC8F1B", "versionEndExcluding": "7.2.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA8791E1-8B96-43F6-A3EC-A7E60D700330", "versionEndExcluding": "8.0.4.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "978E0135-D14B-41DE-87E4-CF059A23E189", "versionEndExcluding": "8.1.2.1", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Active Support es un conjunto de herramientas de bibliotecas de soporte y extensiones del n\u00facleo de Ruby extra\u00eddas del framework Rails. 'NumberToDelimitedConverter' utiliza una expresi\u00f3n regular basada en lookahead con 'gsub!' para insertar delimitadores de millares. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, la interacci\u00f3n entre el grupo lookahead repetido y 'gsub!' puede producir una complejidad de tiempo cuadr\u00e1tica en cadenas de d\u00edgitos largas. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "id": "CVE-2026-33169", "lastModified": "2026-03-24T18:01:08.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:28.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "rails: rails-activesupport: Active Support: Denial of Service via crafted long digit strings", "id": "2450556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450556"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["A flaw was found in Active Support, a toolkit of support libraries for the Rails framework. The `NumberToDelimitedConverter` component, responsible for formatting numbers, uses a regular expression that can lead to a significant slowdown when processing unusually long digit strings. A remote attacker could exploit this by providing specially crafted input, potentially causing a Denial of Service (DoS) due by consuming excessive system resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33169", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "rubygem-activesupport", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/rubygem-activesupport", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-23T23:07:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33169\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33169\nhttps://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11\nhttps://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974\nhttps://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0.beta1,8.1.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0.0.beta1,8.0.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "activesupport", "source": "cna", "vendor": "rails"}, "product": "activesupport", "vendor": "rails"}], "analysis": {"en": {"generated_at": "2026-03-24T19:37:54.498221+00:00", "value": {"mitigation_remediation": ["Upgrade Rails to ActiveSupport version 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later.", "If upgrade is not immediately possible, limit the length of numeric inputs that can be processed by number_to_delimited, e.g., reject strings greater than a few hundred characters.", "Sanitize or validate user input to prevent excessively long number strings before they reach the converter.", "Verify that the patched commits (29154f1, b54a4b3, ec1a0e2) have been applied if you are using a forked or custom Rails distribution.", "Monitor application performance for abnormal CPU spikes that might indicate an attack using this vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via ReDoS"}, "threat_synthesis": {"affected_systems": "The issue is present in the Rails ActiveSupport library shipped with the Rails framework. It affects all Rails releases prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. Those earlier versions will handle numbers containing long numeric sequences with the vulnerable regex, whereas the patched releases have fixed the regex pattern to avoid the quadratic behavior.", "description_and_impact": "The vulnerability resides in ActiveSupport\u2019s NumberToDelimitedConverter, which uses a lookahead\u2011based regular expression with gsub! to add thousands delimiters. The combination of the repeated lookahead group and the in\u2011place gsub! call can trigger quadratic time complexity when processing long digit strings. As the input grows, the number of regex operations grows faster than linear, leading to excessive CPU usage and potential denial of service. This is a classic case of resource exhaustion (CWE\u2011400) coupled with a regex backtracking flaw (CWE\u20111333).", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity, while the EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector likely involves supplying a very long numeric string to any code path that calls number_to_delimited, such as form inputs, API payloads, or templating helper calls. An attacker with the ability to send such input can cause the Ruby interpreter to consume large amounts of CPU time, potentially leading to service degradation or crash if resources are exhausted."}}}}, "created": "2026-03-24T10:30:00.231930+00:00", "updated": "2026-03-25T20:36:07.959302+00:00", "vendors": ["rails", "rails$PRODUCT$activesupport"]}