CVE-2026-33169

CWE-400 — Uncontrolled Resource Consumption CWE-13338 documents7 sources

Severity

6.9MEDIUM

EPSS

0.0%

top 95.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Activesupport Rubyonrails Rails

Timeline

PublishedMar 24

Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5rails/activesupport< 7.2.3.1+2

▶RubyGemsactivesupport8.1.0.beta1 — 8.1.2.1+2

▶NVDrubyonrails/rails8.0.0 — 8.0.4.1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33169: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework↗2026-03-24

▶

CVEList

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited↗2026-03-23

▶

OSV

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited↗2026-03-23

▶

GHSA

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited↗2026-03-23

▶

📋Vendor Advisories

Red Hat

rails: rails-activesupport: Active Support: Denial of Service via crafted long digit strings↗2026-03-23

▶

Debian

CVE-2026-33169: rails - Active Support is a toolkit of support libraries and Ruby core extensions extrac...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33169 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶