CVE-2021-22880
Description
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Active Record PostgreSQL adapter's money type input validation contains a regular expression denial of service (ReDoS) vulnerability, enabling a DoS attack via crafted input.
Vulnerability
Overview
CVE-2021-22880 is a regular expression denial of service (ReDoS) vulnerability in the PostgreSQL adapter of Active Record, a component of Ruby on Rails. The flaw resides in the input validation logic for the money type column. Specially crafted input can cause the regular expression engine to spend excessive time processing, leading to a denial of service condition [1][3].
Exploitation and
Attack Surface
To exploit this vulnerability, an attacker must be able to supply input to a Rails application that uses PostgreSQL with a money type column. The attacker does not need prior authentication; the attack can be carried out by sending a malicious payload through a form or API endpoint that is processed by the affected adapter. The regular expressions in the cast_value method, particularly the patterns used to parse monetary values, are the root cause of the ReDoS [3].
Impact
Successful exploitation results in a denial of service, where the affected Rails application spends disproportionate CPU time evaluating the regular expression. This can render the application unresponsive, impacting availability. The vulnerability affects all Rails versions from 4.2.0 up to (but not including) the fixed releases [3].
Mitigation
Patches have been released for the supported versions: 6.1.2.1, 6.0.3.5, and 5.2.4.5. Users who cannot immediately upgrade can apply a provided monkey patch in an initializer as a workaround. Users of unsupported versions (prior to 4.2.0 or older than 5.2) are advised to upgrade to a supported release [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 5.0.0, < 5.2.4.5 | 5.2.4.5 |
activerecordRubyGems | >= 6.0.0, < 6.0.3.5 | 6.0.3.5 |
activerecordRubyGems | >= 6.1.0, < 6.1.2.1 | 6.1.2.1 |
Affected products
11- Active Record/Active Recorddescription
- ghsa-coords10 versionspkg:gem/activerecordpkg:rpm/opensuse/rubygem-activerecord-5_1&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/rubygem-activerecord-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-activerecord-6.0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3
>= 5.0.0, < 5.2.4.5+ 9 more
- (no CPE)range: >= 5.0.0, < 5.2.4.5
- (no CPE)range: < 5.1.4-lp152.4.3.1
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 6.0.4.4-1.1
- (no CPE)range: < 4.2.9-6.6.1
- (no CPE)range: < 4.2.9-6.6.1
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 5.1.4-5.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-8hc4-xxm3-5pppghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-22880ghsaADVISORY
- www.debian.org/security/2021/dsa-4929ghsavendor-advisoryx_refsource_DEBIANWEB
- discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhIghsaWEB
- hackerone.com/reports/1023899ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3ghsaWEB
- security.netapp.com/advisory/ntap-20210805-0009ghsaWEB
- security.netapp.com/advisory/ntap-20210805-0009/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.