Ruby on Rails Active Support NumberToDelimitedConverter Regular Expression Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in the Active Support component of Ruby on Rails, specifically within the NumberToDelimitedConverter. This issue arises from the use of a lookahead-based regular expression with the gsub! method to add thousands separators. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, this approach can lead to quadratic time complexity when processing long strings of digits, causing performance degradation.

Impact

Exploitation of this vulnerability can lead to a regular expression denial-of-service (ReDoS), where an attacker can cause a significant slowdown in application performance by manipulating input to create a quadratic processing time.

Reproduction

The vulnerability can be reproduced by using the number_to_delimited method of the Active Support NumberHelper module with a long string of digits. The method will process the input using a regular expression that introduces thousands separators. Due to the way the regular expression is constructed, this can create a denial-of-service condition by causing the application to take an excessive amount of time to complete the operation.

Remediation

Users can upgrade to Active Support versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, where this vulnerability has been patched.

Added: Mar 24, 2026, 12:36 AM
Updated: Mar 24, 2026, 12:36 AM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
2.5
exploitability
8.6
remediation
7.7
relevance
3.0
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.