CVE-2026-33169 Overview
CVE-2026-33169 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Active Support component of Ruby on Rails. The NumberToDelimitedConverter class uses a lookahead-based regular expression with gsub! to insert thousands delimiters into numeric strings. The interaction between the repeated lookahead group and gsub! can produce quadratic time complexity when processing long digit strings, allowing attackers to cause resource exhaustion through specially crafted input.
Critical Impact
Attackers can trigger CPU exhaustion by submitting long numeric strings to Rails applications that use number formatting helpers, potentially causing application slowdowns or denial of service.
Affected Products
- Ruby on Rails versions prior to 8.1.2.1
- Ruby on Rails versions prior to 8.0.4.1
- Ruby on Rails versions prior to 7.2.3.1
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33169 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33169
Vulnerability Analysis
This vulnerability exists in the NumberToDelimitedConverter class within the Active Support library, specifically in the activesupport/lib/active_support/number_helper/number_to_delimited_converter.rb file. The vulnerable code path is triggered when Rails applications use number formatting helpers such as number_with_delimiter() to format numeric values for display.
The root issue lies in how the regular expression pattern interacts with Ruby's gsub! method. When processing a string of digits, the lookahead-based regex must repeatedly scan forward through the string to identify positions where delimiters should be inserted. For each position in the string, the regex engine performs lookahead operations that scale with the remaining string length, resulting in O(n²) time complexity for strings of length n.
An attacker who can control numeric input to Rails number formatting functions can submit extremely long digit strings, causing the server to spend disproportionate CPU time processing the delimiter insertion. This constitutes a CWE-400 (Uncontrolled Resource Consumption) vulnerability exploitable over the network without authentication.
Root Cause
The vulnerability stems from an inefficient algorithmic approach in the parts method of NumberToDelimitedConverter. The original implementation used a regular expression with lookahead groups combined with the gsub! method to find delimiter insertion points. While functionally correct, this approach exhibits poor performance characteristics on long inputs due to the repeated lookahead evaluations at each character position.
Attack Vector
The attack can be executed remotely over the network against any Rails application that processes user-supplied numbers through Active Support's number formatting helpers. Common attack surfaces include:
- Form fields that accept numeric input and display formatted values
- API endpoints that return formatted numbers
- Report generation features that format large numbers
- Any view helper using number_with_delimiter, number_to_currency, or similar methods
The following patch demonstrates the fix applied by the Rails team:
private
def parts
left, right = number.to_s.split(".")
- left.gsub!(delimiter_pattern) do |digit_to_delimit|
- "#{digit_to_delimit}#{options[:delimiter]}"
+ if delimiter_pattern
+ left.gsub!(delimiter_pattern) do |digit_to_delimit|
+ "#{digit_to_delimit}#{options[:delimiter]}"
+ end
+ else
+ left_parts = []
+ offset = left.size % 3
+ if offset > 0
+ left_parts << left[0, offset]
+ end
+
+ (left.size / 3).times do |i|
+ left_parts << left[offset + (i * 3), 3]
+ end
+
+ left = left_parts.join(options[:delimiter])
end
+
[left, right].compact
end
Source: GitHub Commit D13149
The fix replaces the regex-based approach with a linear-time string slicing algorithm that manually divides the digit string into groups of three, eliminating the quadratic complexity.
Detection Methods for CVE-2026-33169
Indicators of Compromise
- Unusually high CPU utilization on Rails application servers during request processing
- Slow response times for requests involving number formatting operations
- Application logs showing requests with extremely long numeric parameters
- Web server timeout errors correlating with number formatting endpoints
Detection Strategies
- Monitor application performance metrics for sudden spikes in CPU usage during request handling
- Implement request logging to identify unusually long numeric inputs in parameters
- Use application performance monitoring (APM) tools to trace slow requests to NumberToDelimitedConverter operations
- Review web server access logs for requests containing numeric strings exceeding expected lengths
Monitoring Recommendations
- Set up alerts for CPU utilization thresholds on Rails application workers
- Configure request timeout monitoring to detect hanging requests
- Implement input length validation logging to identify potential exploitation attempts
- Monitor Ruby process memory and CPU metrics for anomalous patterns
How to Mitigate CVE-2026-33169
Immediate Actions Required
- Upgrade Ruby on Rails to version 8.1.2.1, 8.0.4.1, or 7.2.3.1 depending on your current major version
- Implement input validation to limit the length of numeric strings before they reach formatting helpers
- Consider rate limiting on endpoints that process user-supplied numbers
- Review application code for uses of number_with_delimiter and similar helpers with user input
Patch Information
Rails has released patched versions addressing this vulnerability. Update your application's Gemfile to use the appropriate fixed version:
- For Rails 8.1.x: Update to 8.1.2.1 or later - GitHub Release v8.1.2.1
- For Rails 8.0.x: Update to 8.0.4.1 or later - GitHub Release v8.0.4.1
- For Rails 7.2.x: Update to 7.2.3.1 or later - GitHub Release v7.2.3.1
For additional details, refer to the GitHub Security Advisory GHSA-cg4j-q9v8-6v38.
Workarounds
- Implement input validation to restrict numeric string lengths before passing to number helpers
- Add a custom before_action filter to truncate or reject excessively long numeric inputs
- Use application-level rate limiting on endpoints processing numeric formatting
- Consider implementing a custom delimiter function with linear time complexity if immediate patching is not possible
# Update Rails in your Gemfile and run bundle update
bundle update rails
# Verify the installed version
bundle show rails
# For Rails 8.1.x applications:
# Ensure Gemfile contains: gem 'rails', '>= 8.1.2.1'
# For Rails 8.0.x applications:
# Ensure Gemfile contains: gem 'rails', '>= 8.0.4.1'
# For Rails 7.2.x applications:
# Ensure Gemfile contains: gem 'rails', '>= 7.2.3.1'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
