CVE-2026-35611
Catastrophic Backtracking in Addressable URI Template Causes DoS
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| addressable_project | addressable | From 2.3.0 (inc) to 2.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a Regular Expression Denial of Service (ReDoS) issue that can lead to denial of service through excessive CPU consumption when processing maliciously crafted URIs.
While the CVE details the technical impact on availability, it does not explicitly discuss effects on compliance with common standards and regulations such as GDPR or HIPAA.
However, denial of service vulnerabilities can indirectly affect compliance by impacting system availability, which is a component of many regulatory frameworks that require maintaining service continuity and protecting against disruptions.
No direct information is provided about data confidentiality, integrity, or privacy impacts that would relate specifically to GDPR or HIPAA compliance.
Can you explain this vulnerability to me?
CVE-2026-35611 is a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the Addressable RubyGem package, specifically in its URI template implementation for versions 2.3.0 up to but not including 2.9.0.
The vulnerability arises because certain URI templates generate regular expressions that can cause catastrophic backtracking, leading to exponential or polynomial time complexity when matched against maliciously crafted URIs.
- Templates using the explode modifier (*) with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) produce nested unbounded quantifiers causing O(2^n) complexity.
- Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being inside the matched character class, causing ambiguous backtracking.
This uncontrolled backtracking leads to excessive CPU resource consumption, which can cause denial of service by making the system unresponsive or very slow.
The vulnerability was fixed in version 2.9.0 of Addressable.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) conditions by causing excessive CPU usage when the vulnerable URI template regular expressions are matched against maliciously crafted URIs.
An attacker can exploit this by sending specially crafted URIs that trigger catastrophic backtracking in the regex engine, resulting in high computational overhead and potentially making the application or service unresponsive.
The impact is availability-related, meaning the system's ability to serve legitimate requests can be severely degraded or completely halted.
The vulnerability requires no privileges or user interaction to be exploited and can be triggered remotely over the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from specific URI template patterns in the Addressable RubyGem package that cause catastrophic backtracking in regular expressions, leading to excessive CPU usage and denial of service.
Detection involves identifying if your system is running a vulnerable version of the Addressable gem (>= 2.3.0 and < 2.9.0) and if your application uses the vulnerable URI template patterns, such as those with the explode modifier (*) or multiple variables with + or # operators.
Since the vulnerability manifests as high CPU usage during URI template matching, monitoring system resource usage during URI processing can help detect exploitation attempts.
Suggested commands to detect the vulnerable gem version and monitor resource usage include:
- Check the installed Addressable gem version: `gem list addressable`
- Search your codebase for vulnerable URI template patterns, e.g., using grep: `grep -rE '\{[^}]*\*\}' ./` to find templates with the explode modifier.
- Monitor CPU usage during URI template matching or application runtime using tools like `top`, `htop`, or `pidstat`.
- Use Ruby profiling or logging around calls to `Template#match` or `Template#extract` to detect unusually long processing times.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Addressable gem to version 2.9.0 or later, where the vulnerability is fully fixed.
If upgrading is not immediately possible, apply the following workarounds:
- Avoid using vulnerable URI template patterns, specifically those with the explode modifier (*) and multiple variables with + or # operators, especially when processing user-supplied input.
- Apply short timeouts around calls to `Template#match` or `Template#extract` to limit the impact of catastrophic backtracking.
- If using MRI Ruby, consider upgrading to version 3.2 or later, which includes regex memoization that partially mitigates the vulnerability.
- Be aware that JRuby and TruffleRuby remain fully vulnerable and require gem upgrade or pattern avoidance.