Rails Active Support has a possible DoS vulnerability in its number helpers
Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which BigDecimal expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Active Support number helpers accept scientific notation strings, causing BigDecmial to allocate excessive memory and leading to denial of service.
Vulnerability
Description
Active Support's number formatting helpers, such as number_to_human, accept strings containing scientific notation (e.g., 1e10000). When such strings are passed, BigDecimal expands them into extremely large decimal representations. This expansion triggers excessive memory allocation and CPU consumption during subsequent formatting, potentially causing a denial of service (DoS) [1][2]. The issue affects versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1.
Exploitation
An attacker can exploit this vulnerability by supplying a crafted string with scientific notation to any application endpoint that uses Active Support number helpers. No authentication is required if the endpoint is publicly accessible, and the attack can be carried out remotely over the network [2]. The attack complexity is low, as the attacker only needs to send specially crafted input [2].
Impact
Successful exploitation results in denial of service through excessive resource consumption. The server may become unresponsive or crash due to memory exhaustion, affecting availability for legitimate users [1][2].
Mitigation
The vulnerability has been patched in Active Support versions 7.2.3.1, 8.0.4.1, and 8.1.2.1 [2][4]. Users are advised to upgrade to these releases or apply the provided commit [1]. There is no known workaround for unpatched versions.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activesupportRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
activesupportRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
activesupportRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
2- rails/activesupportv5Range: >= 8.1.0.beta1, < 8.1.2.1
Patches
319dbab51ca08NumberConverter: reject scientific notation
2 files changed · +13 −1
activesupport/lib/active_support/number_helper/number_converter.rb+1 −1 modified@@ -180,7 +180,7 @@ def valid_bigdecimal when Float, Rational number.to_d(0) when String - BigDecimal(number, exception: false) + BigDecimal(number, exception: false) unless number.to_s.match?(/[de]/i) else number.to_d rescue nil end
activesupport/test/number_helper_test.rb+12 −0 modified@@ -456,6 +456,18 @@ def test_number_helpers_should_return_non_numeric_param_unchanged assert_equal "x", number_helper.number_to_human("x") end end + + def test_number_helpers_with_scientific_notation + [@instance_with_helpers, TestClassWithClassNumberHelpers, ActiveSupport::NumberHelper].each do |number_helper| + assert_equal "$123481223d98989", number_helper.number_to_currency("123481223d98989") + assert_equal "$11288E822220222", number_helper.number_to_currency("11288E822220222") + assert_equal "-$888E89789", number_helper.number_to_currency("-888E89789") + + assert_equal "123481223d98989%", number_helper.number_to_percentage("123481223d98989") + assert_equal "11288E822220222%", number_helper.number_to_percentage("11288E822220222") + assert_equal "-888E89789%", number_helper.number_to_percentage("-888E89789") + end + end end end end
ee2c59e730e5NumberConverter: reject scientific notation
2 files changed · +13 −1
activesupport/lib/active_support/number_helper/number_converter.rb+1 −1 modified@@ -180,7 +180,7 @@ def valid_bigdecimal when Float, Rational number.to_d(0) when String - BigDecimal(number, exception: false) + BigDecimal(number, exception: false) unless number.to_s.match?(/[de]/i) else number.to_d rescue nil end
activesupport/test/number_helper_test.rb+12 −0 modified@@ -456,6 +456,18 @@ def test_number_helpers_should_return_non_numeric_param_unchanged assert_equal "x", number_helper.number_to_human("x") end end + + def test_number_helpers_with_scientific_notation + [@instance_with_helpers, TestClassWithClassNumberHelpers, ActiveSupport::NumberHelper].each do |number_helper| + assert_equal "$123481223d98989", number_helper.number_to_currency("123481223d98989") + assert_equal "$11288E822220222", number_helper.number_to_currency("11288E822220222") + assert_equal "-$888E89789", number_helper.number_to_currency("-888E89789") + + assert_equal "123481223d98989%", number_helper.number_to_percentage("123481223d98989") + assert_equal "11288E822220222%", number_helper.number_to_percentage("11288E822220222") + assert_equal "-888E89789%", number_helper.number_to_percentage("-888E89789") + end + end end end end
ebd6be18120dNumberConverter: reject scientific notation
2 files changed · +13 −1
activesupport/lib/active_support/number_helper/number_converter.rb+1 −1 modified@@ -180,7 +180,7 @@ def valid_bigdecimal when Float, Rational number.to_d(0) when String - BigDecimal(number, exception: false) + BigDecimal(number, exception: false) unless number.to_s.match?(/[de]/i) else number.to_d rescue nil end
activesupport/test/number_helper_test.rb+12 −0 modified@@ -456,6 +456,18 @@ def test_number_helpers_should_return_non_numeric_param_unchanged assert_equal "x", number_helper.number_to_human("x") end end + + def test_number_helpers_with_scientific_notation + [@instance_with_helpers, TestClassWithClassNumberHelpers, ActiveSupport::NumberHelper].each do |number_helper| + assert_equal "$123481223d98989", number_helper.number_to_currency("123481223d98989") + assert_equal "$11288E822220222", number_helper.number_to_currency("11288E822220222") + assert_equal "-$888E89789", number_helper.number_to_currency("-888E89789") + + assert_equal "123481223d98989%", number_helper.number_to_percentage("123481223d98989") + assert_equal "11288E822220222%", number_helper.number_to_percentage("11288E822220222") + assert_equal "-888E89789%", number_helper.number_to_percentage("-888E89789") + end + end end end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-2j26-frm8-cmj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33176ghsaADVISORY
- github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcbghsax_refsource_MISCWEB
- github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1aghsax_refsource_MISCWEB
- github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v7.2.3.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.0.4.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.ymlghsaWEB
News mentions
0No linked articles in our index yet.