Rails Active Support, Denial of Service (DoS), Moderate

Listen to this Post

The vulnerability resides in Active Support’s number helper methods (e.g., number_to_human, number_to_currency, number_to_delimited). These helpers accept numeric input as strings and, prior to the patch, would pass a string containing scientific notation (such as "1e10000") directly to internal conversion routines. When the helper formats the number for output, the scientific‑notation string is expanded into an extremely large decimal representation (e.g., a `BigDecimal` with thousands of digits). The expansion and subsequent formatting allocate excessive memory and consume disproportionate CPU cycles, leading to a denial‑of‑service condition. The issue affects Rails versions starting from 7.2.0 up to 7.2.3.0, 8.0.0 up to 8.0.4.0, and 8.1.0 up to 8.1.2.0. It was fixed by adding validation that rejects or safely handles scientific‑notation strings before they are expanded. The fix was backported to the 7.2, 8.0, and 8.1 release lines and published in versions 7.2.3.1, 8.0.4.1, and 8.1.2.1 respectively.

dailycve form:

Platform: Ruby on Rails
Version: Multiple pre‑patch versions
Vulnerability: DoS via helpers
Severity: Moderate
date: Mar 23, 2026

Prediction: Patched Mar 23

What Undercode Say:

Check current Rails version
rails -v
Scan for vulnerable versions in a Gemfile
grep -E "rails.[7-8]." Gemfile
Test vulnerable behaviour (Ruby script)
require 'active_support/number_helper'
include ActiveSupport::NumberHelper
This would cause excessive memory/CPU in unpatched versions
number_to_human("1e10000")

How Exploit:

An attacker can inject a parameter that is passed to a number helper, for example via a query string like ?amount=1e10000. When the application uses `number_to_human(params[:amount])` or similar, the unpatched helper expands the scientific notation, triggering a DoS by exhausting memory or CPU on the server.

Protection from this CVE:

Upgrade to Rails 7.2.3.1, 8.0.4.1, or 8.1.2.1 immediately. If upgrading is not possible, sanitize all user input before passing it to any Active Support number helper, rejecting strings that contain scientific notation (e.g., via regex `/\A\d+(?:\.\d+)?\z/` for numeric input).

Impact:

Successful exploitation causes denial of service (memory exhaustion and CPU overload) through a single crafted request, potentially rendering the application unresponsive.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top