[CVE-2026-33176] Possible DoS vulnerability in Active Support number helpers

jhawthorn · March 23, 2026, 9:25pm

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33176
GHSA-2j26-frm8-cmj9

Versions affected

activesupport >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activesupport >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activesupport < 7.2.3.1 (patched in 7.2.3.1)

Patches

Credit

This issue was responsibly reported by hackerone researcher https://hackerone.com/manun

Topic	Replies	Views
[CVE-2026-33169] Possible ReDoS vulnerability in number_to_delimited in Active Support Security Announcements announcement , security	288	March 23, 2026
[CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support's underscore Security Announcements patch , activesupport , security	7735	January 17, 2023
[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL adapter Security Announcements	10726	February 10, 2021
[CVE-2024-47889] Possible ReDoS vulnerability in block_format in Action Mailer Security Announcements security	904	October 15, 2024
[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests Security Announcements announcement , security	238	March 23, 2026