Description
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of service via regex backtracking
Action: Patch immediately
AI Analysis

Impact

Addressable, a Ruby library for URI handling, contains a bug in its URI template implementation. Two categories of templates construct regular expressions with nested unbounded quantifiers, which trigger exponential backtracking when matching maliciously crafted strings. The resulting CPU and memory exhaustion can bring services to a halt.

Affected Systems

The sporkmonger Addressable library is affected in all releases from 2.3.0 up to, but not including, 2.9.0. These versions remain vulnerable until the fix delivered in 2.9.0, which removes the problematic regex construction.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a moderate to high risk. EPSS data is not available and the issue is not listed in the KEV catalog. The attack vector is inferred to be remote: any application that processes user‑supplied templates or URIs through Addressable can be targeted by sending specially crafted input that causes catastrophic backtracking, resulting in denial of service.

Generated by OpenCVE AI on April 7, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Addressable to version 2.9.0 or newer
  • Verify that all dependent libraries use the patched version
  • If an upgrade is not immediately feasible, restrict or sanitize template and URI input to eliminate complex patterns that trigger backtracking
  • Monitor CPU and memory usage for anomalous spikes that may indicate exploitation attempts
  • If possible, temporarily disable or ban the use of the vulnerable template features until a patch can be applied

Generated by OpenCVE AI on April 7, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h27x-rffw-24p4 Addressable has a Regular Expression Denial of Service in Addressable templates
History

Wed, 15 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Addressable Project
Addressable Project addressable
CPEs cpe:2.3:a:addressable_project:addressable:*:*:*:*:*:ruby:*:*
Vendors & Products Addressable Project
Addressable Project addressable

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Sporkmonger
Sporkmonger addressable
Vendors & Products Sporkmonger
Sporkmonger addressable

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Title Addressable has a Regular Expression Denial of Service in Addressable templates
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Addressable Project Addressable
Sporkmonger Addressable
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T14:36:18.529Z

Reserved: 2026-04-03T21:25:12.163Z

Link: CVE-2026-35611

cve-icon Vulnrichment

Updated: 2026-04-09T14:36:14.327Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:35.427

Modified: 2026-04-15T17:20:27.607

Link: CVE-2026-35611

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T16:38:08Z

Links: CVE-2026-35611 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:50Z

Weaknesses