Resource exhaustion in Rails Activesupport
CVE-2026-33176
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.
Affected products
- Rails Activesupport — versions >= 8.1.0.beta1, < 8.1.2.1, >= 8.0.0.beta1, < 8.0.4.1, < 7.2.3.1
Weakness classification (CWE)
References
- https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9 (x_refsource_CONFIRM)
- https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb (x_refsource_MISC)
- https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a (x_refsource_MISC)
- https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 (x_refsource_MISC)
- https://github.com/rails/rails/releases/tag/v7.2.3.1 (x_refsource_MISC)
- https://github.com/rails/rails/releases/tag/v8.0.4.1 (x_refsource_MISC)
- https://github.com/rails/rails/releases/tag/v8.1.2.1 (x_refsource_MISC)