CVE-2026-35611 Overview
CVE-2026-35611 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the Addressable Ruby library, an alternative implementation to Ruby's standard library URI implementation. The vulnerability exists in versions 2.3.0 through 2.8.x of the library, where URI template implementations generate regular expressions vulnerable to catastrophic backtracking when processing maliciously crafted URIs.
Critical Impact
Applications using Addressable for URI template matching can be rendered unresponsive through denial of service attacks that exploit catastrophic regex backtracking, consuming excessive CPU resources.
Affected Products
- Addressable Ruby library versions 2.3.0 to before 2.9.0
- Ruby applications using Addressable URI template functionality
- Web services and APIs utilizing Addressable for URI parsing
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35611 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35611
Vulnerability Analysis
This vulnerability falls under CWE-1333 (Inefficient Regular Expression Complexity), commonly known as ReDoS (Regular Expression Denial of Service). The Addressable library's URI template implementation generates regular expressions that exhibit catastrophic backtracking behavior when matched against specially crafted input.
Two distinct classes of vulnerable patterns exist within the codebase:
Explode modifier patterns: Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns containing nested unbounded quantifiers. These patterns exhibit O(2^n) time complexity when matched against malicious input.
Multi-variable patterns: Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity. The vulnerability arises because the comma separator is included within the matched character class, causing ambiguous backtracking across k variables.
Root Cause
The root cause lies in how Addressable constructs regular expressions for URI template matching. The library generates patterns with nested quantifiers and overlapping character classes without implementing safeguards against pathological backtracking scenarios. When the regex engine attempts to match these patterns against carefully crafted input strings, it explores an exponential number of backtracking paths before failing or succeeding.
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests or other input containing maliciously crafted URIs to any application that uses Addressable's URI template matching functionality. The attack is network-based and requires no authentication or user interaction. A single malicious request can cause the target application to consume excessive CPU resources while the regex engine processes the pathological input, effectively creating a denial of service condition.
The vulnerability is particularly dangerous in web application contexts where URI template matching may be performed on untrusted user input, such as routing systems or API endpoints that validate incoming request URIs against template patterns.
Detection Methods for CVE-2026-35611
Indicators of Compromise
- Abnormally high CPU utilization on application servers processing URI requests
- Application threads stuck in regex matching operations for extended periods
- Request timeouts and service unavailability correlating with specific URI patterns
- Memory consumption spikes associated with backtracking state storage
Detection Strategies
- Monitor application response times for unusual latency patterns on URI-processing endpoints
- Implement application performance monitoring (APM) to detect regex-related CPU anomalies
- Review application dependencies for Addressable library versions between 2.3.0 and 2.8.x
- Audit codebase for usage of URI template patterns with explode modifiers or multi-variable operators
Monitoring Recommendations
- Configure alerting on sustained CPU utilization exceeding baseline thresholds
- Implement request timeout enforcement at the application and load balancer layers
- Deploy rate limiting on endpoints that process user-supplied URI input
- Enable thread dump collection for diagnosing stuck regex operations
How to Mitigate CVE-2026-35611
Immediate Actions Required
- Upgrade Addressable library to version 2.9.0 or later immediately
- Audit all applications for Addressable dependency usage via Gemfile.lock or bundler
- Implement request timeout limits to bound maximum processing time per request
- Consider input validation to reject abnormally long or complex URI strings before template matching
Patch Information
The vulnerability is fixed in Addressable version 2.9.0. Organizations should update their Gemfile to specify gem 'addressable', '>= 2.9.0' and run bundle update addressable to apply the fix. For additional details, consult the GitHub Security Advisory.
Workarounds
- Implement strict input length limits on URIs processed through Addressable templates
- Deploy Web Application Firewall (WAF) rules to reject requests with suspicious URI patterns
- Add request timeout enforcement at the application layer to limit regex processing time
- Consider switching to Ruby's standard library URI implementation for simple parsing needs where template features are not required
# Configuration example - Update Gemfile
# Specify minimum version to enforce patched release
gem 'addressable', '>= 2.9.0'
# Then update the dependency
bundle update addressable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
