CVE-2026-35611Regex Denial of Service in Project Addressable

CWE-1333Regex Denial of Service12 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 81.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Addressable Project AddressableSporkmonger AddressableDebian Ruby-addressable
Timeline
PublishedApr 7
Latest updateApr 13

Description

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

RubyGemsaddressable_project/addressable2.3.02.9.0
CVEListV5sporkmonger/addressable>= 2.3.0, < 2.9.0

🔴Vulnerability Details

4
VulDB
sporkmonger addressable up to 2.8.x redos (GHSA-h27x-rffw-24p4 / Nessus ID 305616)2026-04-13
GHSA
Addressable has a Regular Expression Denial of Service in Addressable templates2026-04-08
OSV
Addressable has a Regular Expression Denial of Service in Addressable templates2026-04-08
OSV
CVE-2026-35611: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library2026-04-07

📋Vendor Advisories

2
Red Hat
addressable: Addressable: Denial of Service via crafted URI templates2026-04-07
Debian
CVE-2026-35611: ruby-addressable - Addressable is an alternative implementation to the URI implementation that is p...2026

🕵️Threat Intelligence

4
Wiz
CVE-2026-35611 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-40070 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-40069 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-39324 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-35611 addressable: Addressable: Denial of Service via crafted URI templates2026-04-07
CVE-2026-35611 — Regex Denial of Service | cvebase