CVE-2026-33169

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11	Patch
https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974	Patch
https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49	Patch
https://github.com/rails/rails/releases/tag/v7.2.3.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.0.4.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.1.2.1	Release Notes
https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::

History

24 Mar 2026, 18:01

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:rubyonrails:rails::::::::
Summary		(es) Active Support es un conjunto de herramientas de bibliotecas de soporte y extensiones del núcleo de Ruby extraídas del framework Rails. 'NumberToDelimitedConverter' utiliza una expresión regular basada en lookahead con 'gsub!' para insertar delimitadores de millares. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, la interacción entre el grupo lookahead repetido y 'gsub!' puede producir una complejidad de tiempo cuadrática en cadenas de dígitos largas. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche.
References	~~() https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11 -~~	() https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11 - Patch
References	~~() https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974 -~~	() https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974 - Patch
References	~~() https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49 -~~	() https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49 - Patch
References	~~() https://github.com/rails/rails/releases/tag/v7.2.3.1 -~~	() https://github.com/rails/rails/releases/tag/v7.2.3.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.0.4.1 -~~	() https://github.com/rails/rails/releases/tag/v8.0.4.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.1.2.1 -~~	() https://github.com/rails/rails/releases/tag/v8.1.2.1 - Release Notes
References	~~() https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38 -~~	() https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38 - Vendor Advisory
First Time		Rubyonrails Rubyonrails rails

24 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 00:16

Updated : 2026-03-24 18:01

NVD link : CVE-2026-33169

Mitre link : CVE-2026-33169

CVE.ORG link : CVE-2026-33169

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-1333

Inefficient Regular Expression Complexity

5.3 /10