[CVE-2026-33169] Possible ReDoS vulnerability in number_to_delimited in Active Support

jhawthorn · March 23, 2026, 9:25pm

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33169
GHSA-cg4j-q9v8-6v38

Versions affected

activesupport >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activesupport >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activesupport < 7.2.3.1 (patched in 7.2.3.1)

Patches

Credit

This issue was responsibly reported by Seokchan Yoon (https://ch4n3.kr).

Topic		Replies	Views
[CVE-2026-33176] Possible DoS vulnerability in Active Support number helpers Security Announcements announcement , security	0	305	March 23, 2026
number_with_delimiter bug + patch rubyonrails-core	4	165	January 29, 2007
[CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support's underscore Security Announcements patch , activesupport , security	0	7744	January 17, 2023
Ability to use different format mask regex while formatting currency in activesupport -> number_to_currency heloer rubyonrails-core	0	260	August 27, 2015
[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL adapter Security Announcements	0	10731	February 10, 2021