VYPR
← All advisories
Low severityNVD Advisory· Published Feb 9, 2023· Updated Nov 27, 2024

CVE-2023-22796

CVE-2023-22796

Description

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A ReDoS vulnerability in Active Support's underscore method allows attackers to cause a denial of service via crafted strings.

Vulnerability

A regular expression denial of service (ReDoS) vulnerability exists in the Active Support library of Ruby on Rails versions prior to 6.1.7.1 and 7.0.4.1. The underscore method uses a regular expression that is susceptible to catastrophic backtracking when processing a specially crafted string. This leads to excessive CPU and memory consumption [1][4].

Exploitation

An attacker can exploit this vulnerability by providing a malicious string to any application that uses the underscore method. Since this method is commonly used in Rails applications for string transformations, an unauthenticated remote attacker can trigger the DoS condition without requiring any special privileges [1].

Impact

Successful exploitation results in a denial of service, causing the affected application to become unresponsive due to high resource consumption. This can lead to service disruption for legitimate users [1].

Mitigation

The vulnerability is patched in Rails versions 6.1.7.1, 7.0.4.1, and also 6.0.6.1. Users running affected versions should upgrade immediately. No workarounds are available [3].

References
  1. NVD - CVE-2023-22796
  2. Rails Versions 7.0.4.1, 6.1.7.1, and 6.0.6.1 have been released!
  3. ruby-advisory-db/gems/activesupport/CVE-2023-22796.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activesupportRubyGems
< 6.1.7.16.1.7.1
activesupportRubyGems
>= 7.0.0, < 7.0.4.17.0.4.1

Affected products

10

Patches

2
2164d4f6a1bd

Avoid regex backtracking in Inflector.underscore

https://github.com/rails/railsJohn HawthornJan 11, 2023via ghsa
commit
1 file changed · +1 1
  • activesupport/lib/active_support/inflector/methods.rb+1 1 modified
    @@ -97,7 +97,7 @@ def underscore(camel_cased_word)
       return camel_cased_word.to_s unless /[A-Z-]|::/.match?(camel_cased_word)
       word = camel_cased_word.to_s.gsub("::", "/")
       word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
-      word.gsub!(/([A-Z]+)(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
+      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
       word.tr!("-", "_")
       word.downcase!
       word
a7cda7e6aa53

Avoid regex backtracking in Inflector.underscore

https://github.com/rails/railsJohn HawthornJan 11, 2023via ghsa
commit
1 file changed · +1 2
  • activesupport/lib/active_support/inflector/methods.rb+1 2 modified
    @@ -93,8 +93,7 @@ def underscore(camel_cased_word)
       return camel_cased_word unless /[A-Z-]|::/.match?(camel_cased_word)
       word = camel_cased_word.to_s.gsub("::", "/")
       word.gsub!(inflections.acronyms_underscore_regex) { "#{$1 && '_' }#{$2.downcase}" }
-      word.gsub!(/([A-Z\d]+)([A-Z][a-z])/, '\1_\2')
-      word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
+      word.gsub!(/([A-Z])(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
       word.tr!("-", "_")
       word.downcase!
       word

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

11

News mentions

0

No linked articles in our index yet.