{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33169", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-23T23:07:07.630Z", "dateUpdated": "2026-03-23T23:19:24.387Z"}, "containers": {"cna": {"title": "Rails Active Support has a possible ReDoS vulnerability in number_to_delimited", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"}, {"name": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11"}, {"name": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974"}, {"name": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}], "affected": [{"vendor": "rails", "product": "activesupport", "versions": [{"version": ">= 8.1.0.beta1, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0.beta1, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:19:24.387Z"}, "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-cg4j-q9v8-6v38", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "id": "CVE-2026-33169", "lastModified": "2026-03-24T00:16:28.113", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:28.113", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "rails: rails-activesupport: Active Support: Denial of Service via crafted long digit strings", "id": "2450556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450556"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["A flaw was found in Active Support, a toolkit of support libraries for the Rails framework. The `NumberToDelimitedConverter` component, responsible for formatting numbers, uses a regular expression that can lead to a significant slowdown when processing unusually long digit strings. A remote attacker could exploit this by providing specially crafted input, potentially causing a Denial of Service (DoS) due by consuming excessive system resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33169", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "rubygem-activesupport", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/rubygem-activesupport", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-23T23:07:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33169\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33169\nhttps://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11\nhttps://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974\nhttps://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0.beta1,8.1.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0.0.beta1,8.0.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "activesupport", "source": "cna", "vendor": "rails"}, "product": "activesupport", "vendor": "rails"}], "created": "2026-03-24T10:30:00.231930+00:00", "updated": "2026-03-24T10:30:00.232012+00:00", "vendors": ["rails", "rails$PRODUCT$activesupport"]}