Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via ReDoS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in ActiveSupport’s NumberToDelimitedConverter, which uses a lookahead‑based regular expression with gsub! to add thousands delimiters. The combination of the repeated lookahead group and the in‑place gsub! call can trigger quadratic time complexity when processing long digit strings. As the input grows, the number of regex operations grows faster than linear, leading to excessive CPU usage and potential denial of service. This is a classic case of resource exhaustion (CWE‑400) coupled with a regex backtracking flaw (CWE‑1333).

Affected Systems

The issue is present in the Rails ActiveSupport library shipped with the Rails framework. It affects all Rails releases prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. Those earlier versions will handle numbers containing long numeric sequences with the vulnerable regex, whereas the patched releases have fixed the regex pattern to avoid the quadratic behavior.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, while the EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector likely involves supplying a very long numeric string to any code path that calls number_to_delimited, such as form inputs, API payloads, or templating helper calls. An attacker with the ability to send such input can cause the Ruby interpreter to consume large amounts of CPU time, potentially leading to service degradation or crash if resources are exhausted.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rails to ActiveSupport version 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later.
  • If upgrade is not immediately possible, limit the length of numeric inputs that can be processed by number_to_delimited, e.g., reject strings greater than a few hundred characters.
  • Sanitize or validate user input to prevent excessively long number strings before they reach the converter.
  • Verify that the patched commits (29154f1, b54a4b3, ec1a0e2) have been applied if you are using a forked or custom Rails distribution.
  • Monitor application performance for abnormal CPU spikes that might indicate an attack using this vulnerability.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cg4j-q9v8-6v38 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activesupport
Vendors & Products Rails
Rails activesupport

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Rails Activesupport
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:46:43.465Z

Reserved: 2026-03-17T21:17:08.888Z

Link: CVE-2026-33169

cve-icon Vulnrichment

Updated: 2026-03-24T15:46:31.895Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:28.113

Modified: 2026-03-24T18:01:08.873

Link: CVE-2026-33169

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:07:07Z

Links: CVE-2026-33169 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:07Z

Weaknesses