MEDIUM
GHSA-2j26-frm8-cmj9
Rails Active Support has a possible DoS vulnerability in its number helpers
Details
### Impact Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.
### Releases The fixed releases are available at the normal locations.
### Credit This issue was responsibly reported by Hackerone researcher [manun](https://hackerone.com/manun).
Are you affected?
Enter the version of the package you're using.
Affected packages
RubyGems / activesupport
Introduced in:
8.1.0.beta1 Fixed in: 8.1.2.1 Fix
bundle update activesupport RubyGems / activesupport
Introduced in:
8.0.0.beta1 Fixed in: 8.0.4.1 Fix
bundle update activesupport References
- https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33176 [ADVISORY]
- https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb [WEB]
- https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a [WEB]
- https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 [WEB]
- https://github.com/rails/rails [PACKAGE]
- https://github.com/rails/rails/releases/tag/v7.2.3.1 [WEB]
- https://github.com/rails/rails/releases/tag/v8.0.4.1 [WEB]
- https://github.com/rails/rails/releases/tag/v8.1.2.1 [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml [WEB]