CVE-2026-33176
Denial of Service via BigDecimal in Active Support Number Helpers
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rubyonrails | rails | to 7.2.3.1 (exc) |
| rubyonrails | rails | From 8.0.0 (inc) to 8.0.4.1 (exc) |
| rubyonrails | rails | From 8.1.0 (inc) to 8.1.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33176 is a vulnerability in the Ruby on Rails framework\'s Active Support number helpers. The issue arises because these helpers accept strings containing scientific notation (such as "1e10000"). When such strings are converted using the BigDecimal class, they expand into extremely large decimal numbers. This expansion can cause excessive memory allocation and CPU consumption during formatting.'}, {'type': 'paragraph', 'content': 'This behavior can be exploited by an attacker to cause a denial-of-service (DoS) attack by providing specially crafted input strings with scientific notation, leading to resource exhaustion.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by modifying the number conversion process to reject strings containing scientific notation before attempting to convert them to BigDecimal. This prevents the processing of extremely large numeric values expressed in scientific notation.'}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) condition in applications using vulnerable versions of Ruby on Rails Active Support number helpers.
By submitting input strings containing scientific notation, an attacker can trigger excessive memory allocation and CPU usage during number formatting, potentially making the application unresponsive or crashing it.
This can lead to service downtime, degraded performance, and a poor user experience, especially in environments where user input is not properly sanitized or validated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the processing of strings containing scientific notation by Active Support number helpers in Ruby on Rails, which can lead to excessive memory and CPU usage. Detection would involve identifying if your application is receiving or processing inputs with scientific notation strings (e.g., containing 'e' or 'E') that are passed to number conversion methods."}, {'type': 'paragraph', 'content': "Since the vulnerability is triggered by inputs containing scientific notation, you can monitor logs or input data for such patterns. For example, searching application logs for strings matching the regex pattern '[deDE]' or specifically scientific notation patterns like '\\d+e\\d+' could help detect attempts to exploit this issue."}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources, but you can use commands like the following to search logs for suspicious inputs:'}, {'type': 'list_item', 'content': "grep -iE '\\b\\d+e\\d+\\b' /path/to/your/application/logs/*.log"}, {'type': 'list_item', 'content': "grep -iE '[de]' /path/to/your/application/logs/*.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring system resource usage (CPU and memory) spikes during request processing may indicate exploitation attempts.'}] [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the Active Support component of Ruby on Rails to a patched version that contains the fix for this vulnerability.'}, {'type': 'list_item', 'content': 'Upgrade to Active Support versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, which include the patch that rejects inputs containing scientific notation before converting them with BigDecimal.'}, {'type': 'paragraph', 'content': "The patch prevents processing of strings containing 'e' or 'd' characters (indicative of scientific notation) by skipping their conversion to BigDecimal, thus mitigating the risk of denial-of-service caused by excessive resource consumption."}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider implementing input validation or sanitization to reject or safely handle inputs containing scientific notation before they reach the vulnerable number conversion code.'}] [1, 2, 3, 4]