VYPR
Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026

Rails Active Support has a possible DoS vulnerability in its number helpers

CVE-2026-33176

Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which BigDecimal expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activesupportRubyGems
>= 8.1.0.beta1, < 8.1.2.18.1.2.1
activesupportRubyGems
>= 8.0.0.beta1, < 8.0.4.18.0.4.1
activesupportRubyGems
< 7.2.3.17.2.3.1

Affected products

15

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.