Ruby on Rails Active Support
Moderate fix3 remedies
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*, +1 more
Moderate fix3 remedies
- >= 8.1, < 8.1.2.1
- >= 8.0, < 8.0.4.1
- < 7.2.3.1
Ruby on Rails Active Support Scientific Notation Processing Denial-of-Service Vulnerability
Vulnerability
Patched
A denial-of-service vulnerability has been identified in the Active Support component of Ruby on Rails. This issue affects versions 7.2.3, 8.0.4, and 8.1, prior to 8.1.2.1. The vulnerability arises because Active Support number helpers improperly handle strings in scientific notation, such as '1e10000'. When these strings are processed, 'BigDecimal' converts them into extremely large decimal numbers. This conversion can lead to excessive memory usage and CPU load during number formatting, causing a denial-of-service condition.
Impact
Exploitation of this vulnerability can lead to a denial-of-service condition, causing excessive memory and CPU usage.
Reproduction
The vulnerability can be reproduced by using Active Support number helpers with strings that include scientific notation. This can be done by calling number_to_currency or number_to_percentage methods with such strings, which will trigger the improper handling and result in increased resource consumption.
Remediation
Users can upgrade to Active Support versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 to address this vulnerability.
Added: Mar 24, 2026, 12:32 AM
Updated: Mar 24, 2026, 12:32 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
2.5exploitability
7.8remediation
7.7relevance
4.6threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.