[CVE-2026-33176] Possible DoS vulnerability in Active Support number helpers

jhawthorn · March 23, 2026, 9:25pm

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33176
GHSA-2j26-frm8-cmj9

Versions affected

activesupport >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activesupport >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activesupport < 7.2.3.1 (patched in 7.2.3.1)

Topic	Replies	Views
[CVE-2026-33169] Possible ReDoS vulnerability in number_to_delimited in Active Support Security Announcements announcement , security	48	March 23, 2026
[CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support's underscore Security Announcements patch , activesupport , security	7730	January 17, 2023
[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL adapter Security Announcements	10722	February 10, 2021
[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests Security Announcements announcement , security	33	March 23, 2026
[CVE-2024-47889] Possible ReDoS vulnerability in block_format in Action Mailer Security Announcements security	899	October 15, 2024

[CVE-2026-33176] Possible DoS vulnerability in Active Support number helpers

Impact

Releases

Versions affected

Patches

More Resources

[CVE-2026-33176] Possible DoS vulnerability in Active Support number helpers

Impact

Releases

Versions affected

Patches

Related topics

More Resources