Listen to this Post
The vulnerability resides in the `number_to_delimited` helper, specifically in the NumberToDelimitedConverter. This method uses a regular expression with `gsub!` to insert thousands separators into numeric strings. The regex pattern is crafted to match groups of digits, but when applied to an exceptionally long digit string (e.g., thousands of digits) that lacks delimiters, the regular expression engine can enter a catastrophic backtracking state. This results in quadratic time complexity relative to the input length, causing excessive CPU consumption. An attacker who can control the input passed to `number_to_delimited` (for example, via a parameter that is later rendered in a view) can trigger this ReDoS attack, leading to denial of service. The issue affects Rails versions: 8.1.0.beta1 to 8.1.2.1, 8.0.0.beta1 to 8.0.4.1, and any version below 7.2.3.1. The fix replaces the vulnerable regex with a more efficient algorithm that avoids backtracking. Patched releases (7.2.3.1, 8.0.4.1, 8.1.2.1) were made available immediately after the advisory was published.
Platform: Rails Active Support
Version: <7.2.3.1,<8.0.4.1,<8.1.2.1
Vulnerability : ReDoS number_to_delimited
Severity: Moderate
date: Mar 23 2026
Prediction: Patched Mar 23
What Undercode Say:
Check vulnerable version
rails -v
Simulate ReDoS with a long digit string
ruby -e 'puts "1" 100000 + "a"' -e 'require "active_support/number_helper"; ActiveSupport::NumberHelper.number_to_delimited("1"50000)'
Monitor CPU spike
top -pid $(pgrep -f rails)
How Exploit:
Send a crafted HTTP request containing a parameter with a very long digit string (e.g., 50,000+ digits) that is later passed to `number_to_delimited` in a view. The server will spend disproportionate CPU time processing the regex, potentially exhausting resources and denying service to other requests.
Protection from this CVE:
Upgrade to Rails 7.2.3.1, 8.0.4.1, or 8.1.2.1 immediately. If upgrading is not possible, avoid passing unsanitized user input to `number_to_delimited` or replace it with a custom formatter that does not use the vulnerable regex.
Impact:
Denial of service via CPU exhaustion; an unauthenticated attacker can render the application unresponsive by repeatedly submitting large numeric strings to any endpoint that uses the vulnerable helper.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

