Executive Summary

CVE-2026-33169 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Active Support component of the Ruby on Rails framework, specifically in the NumberToDelimitedConverter class. This class uses a regular expression with the gsub! method to insert thousands delimiters into numeric strings. Prior to patched versions, the interaction between the repeated lookahead group in the regex and gsub! can cause quadratic time complexity when processing long digit strings.

This means that when very long digit strings are processed, the method can take exponentially longer to complete, potentially allowing an attacker to degrade performance or cause a denial of service by supplying specially crafted input.

The vulnerability was fixed by optimizing the method to reduce reliance on regex substitutions, instead using manual string slicing and grouping to insert delimiters more efficiently.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause performance degradation or denial of service in applications using the affected versions of the Ruby on Rails Active Support component.

Specifically, if an application processes long numeric strings with the vulnerable number_to_delimited method, an attacker could supply specially crafted input that triggers the quadratic time complexity in the regex operation, leading to excessive CPU usage and slowing down or crashing the application.

This can result in reduced availability or responsiveness of your application, potentially affecting end users and system stability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability is related to a performance issue in the Ruby on Rails Active Support component's number formatting method, specifically the `NumberToDelimitedConverter` using a regex with `gsub!` that can cause quadratic time complexity on long digit strings."}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should first identify if your Ruby on Rails application uses a vulnerable version of the Active Support library (versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1).'}, {'type': 'paragraph', 'content': 'You can check the installed version of the Rails gem by running the following command in your application environment:'}, {'type': 'list_item', 'content': 'gem list rails'}, {'type': 'paragraph', 'content': 'Or check the version of activesupport specifically:'}, {'type': 'list_item', 'content': 'gem list activesupport'}, {'type': 'paragraph', 'content': 'If the version is within the vulnerable range, your system is potentially affected.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or performance degradation caused by this vulnerability, monitor your application logs and performance metrics for unusually high CPU or memory usage when processing large numeric strings, especially if user input is involved in number formatting.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Active Support component of your Ruby on Rails framework to a patched version where this vulnerability is fixed.

• Upgrade to version 8.1.2.1 or later if you are using the 8.1 series.
• Upgrade to version 8.0.4.1 or later if you are using the 8.0 series.
• Upgrade to version 7.2.3.1 or later if you are using the 7.2 series.

These versions contain the patch that optimizes the `NumberToDelimitedConverter` to avoid the quadratic time complexity caused by the regex with `gsub!`.

Additionally, consider monitoring and limiting the length of numeric strings processed by your application to reduce the risk of performance degradation.

Useful 0 Not Useful 0