Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
CVE-2026-33169
Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. NumberToDelimitedConverter uses a lookahead-based regular expression with gsub! to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and gsub! can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activesupportRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
activesupportRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
activesupportRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/cinc-auditorpkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/wolfi/cinc-auditorpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.4-rails-8.0pkg:gem/activesupport
< 7.0.107-r1+ 13 more
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 18.10.3-r1
- (no CPE)range: < 18.10.3-r0
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.4.0-r9
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.4.0-r9
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: >= 8.1.0.beta1, < 8.1.2.1
- Range: >= 8.1.0.beta1, < 8.1.2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-cg4j-q9v8-6v38ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33169ghsaADVISORY
- github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11ghsax_refsource_MISCWEB
- github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974ghsax_refsource_MISCWEB
- github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v7.2.3.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.0.4.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.ymlghsaWEB
News mentions
0No linked articles in our index yet.