Rails Active Support has a possible DoS vulnerability in its number helpers

Published date: 2026-03-23T21:15:16Z

CVE: CVE-2026-33176

Links:

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by Hackerone researcher manun.

Affected versions: ["7.2.3", "7.2.2.2", "7.2.2.1", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.2.0.rc1", "7.2.0.beta3", "7.2.0.beta2", "7.2.0.beta1", "7.1.6", "7.1.5.2", "7.1.5.1", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.1.0.rc2", "7.1.0.rc1", "7.1.0.beta1", "7.0.10", "7.0.9", "7.0.8.7", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "8.0.4", "8.0.3", "8.0.2.1", "8.0.2", "8.0.1", "8.0.0.1", "8.0.0", "8.0.0.rc2", "8.0.0.rc1", "8.0.0.beta1", "8.1.2", "8.1.1", "8.1.0", "8.1.0.rc1", "8.1.0.beta1"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Published date: 2026-03-23T20:53:28Z

CVE: CVE-2026-33170

Links:

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by @ch4n3-yoon

Affected versions: ["7.2.3", "7.2.2.2", "7.2.2.1", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.2.0.rc1", "7.2.0.beta3", "7.2.0.beta2", "7.2.0.beta1", "7.1.6", "7.1.5.2", "7.1.5.1", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.1.0.rc2", "7.1.0.rc1", "7.1.0.beta1", "7.0.10", "7.0.9", "7.0.8.7", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "8.0.4", "8.0.3", "8.0.2.1", "8.0.2", "8.0.1", "8.0.0.1", "8.0.0", "8.0.0.rc2", "8.0.0.rc1", "8.0.0.beta1", "8.1.2", "8.1.1", "8.1.0", "8.1.0.rc1", "8.1.0.beta1"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Published date: 2026-03-23T20:52:40Z

CVE: CVE-2026-33169

Links:

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by Hackerone researcher scyoon.

Affected versions: ["7.2.3", "7.2.2.2", "7.2.2.1", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.2.0.rc1", "7.2.0.beta3", "7.2.0.beta2", "7.2.0.beta1", "7.1.6", "7.1.5.2", "7.1.5.1", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.1.0.rc2", "7.1.0.rc1", "7.1.0.beta1", "7.0.10", "7.0.9", "7.0.8.7", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "8.0.4", "8.0.3", "8.0.2.1", "8.0.2", "8.0.1", "8.0.0.1", "8.0.0", "8.0.0.rc2", "8.0.0.rc1", "8.0.0.beta1", "8.1.2", "8.1.1", "8.1.0", "8.1.0.rc1", "8.1.0.beta1"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Active Support Possibly Discloses Locally Encrypted Files

Published date: 2023-08-23T20:36:24Z

CVE: CVE-2023-38037

Links:

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

Affected versions: ["7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Possible XSS Security Vulnerability in SafeBuffer#bytesplice

Published date: 2023-03-15T21:36:01Z

CVE: CVE-2023-28120

Links:

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as htmlsafe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being htmlsafe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

Affected versions: ["6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Possible XSS Security Vulnerability in SafeBuffer#bytesplice

Published date: 2023-03-13

Framework: rails

CVE: 2023-28120

CVSS V3: 5.3

Links:

https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as htmlsafe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being htmlsafe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

Affected versions: ["6.0.2.1", "6.0.2.rc1", "5.2.4.3", "5.2.0", "5.1.7.rc1", "5.0.4", "5.0.0.rc1", "4.2.10", "4.2.8.rc1", "4.2.5.rc1", "4.1.14.2", "4.1.14.rc2", "4.1.11", "4.1.2.rc3", "4.0.12", "4.0.2", "4.0.0.rc1", "3.2.22.3", "3.2.22.1", "3.2.14", "3.2.14.rc1", "3.2.13.rc1", "3.2.12", "3.2.8.rc1", "3.2.6", "3.2.5", "3.2.0.rc2", "6.0.3.2", "6.0.3", "5.2.4.1", "5.2.2.rc1", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.6.2", "5.1.5.rc1", "5.1.4", "5.1.3.rc1", "5.1.0.rc2", "5.0.7", "5.0.1", "5.0.1.rc2", "5.0.0.beta2", "4.2.9.rc1", "4.2.5.1", "4.2.1.rc2", "4.2.1.rc1", "4.1.13", "4.1.4", "4.0.10.rc1", "4.0.8", "4.0.6.rc3", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc1", "4.0.0.beta1", "3.2.22", "3.2.17", "3.2.7.rc1", "3.2.4", "3.2.3", "3.1.10", "3.1.9", "3.1.6", "3.0.15", "3.0.7.rc2", "3.0.3", "3.0.0", "3.1.2.rc1", "3.1.1", "3.1.0.rc8", "3.0.12", "3.0.9.rc4", "3.0.6.rc2", "3.0.0.beta4", "3.0.0.beta2", "3.0.pre", "2.3.17", "2.3.11", "2.3.9", "2.3.9.pre", "6.0.3.1", "6.0.2.2", "6.0.0", "6.0.0.rc2", "5.2.4", "5.2.2.1", "5.2.1.rc1", "5.1.6.1", "5.1.4.rc1", "5.1.3", "5.0.5.rc2", "5.0.4.rc1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.8", "4.2.6.rc1", "4.2.3.rc1", "4.1.16.rc1", "4.1.12.rc1", "4.1.10.rc4", "4.1.10.rc1", "4.1.9", "4.1.6", "4.1.6.rc2", "4.0.3", "3.2.22.4", "3.2.19", "3.2.18", "3.2.16", "3.2.15.rc1", "3.2.13.rc2", "3.2.9.rc2", "3.1.12", "3.1.11", "3.1.5", "3.1.2", "6.0.3.rc1", "6.0.2", "6.0.1", "5.2.4.2", "5.2.4.rc1", "5.2.0.rc1", "5.1.2.rc1", "5.1.0.rc1", "5.0.6", "5.0.2", "4.2.9", "4.2.9.rc2", "4.2.6", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.0.beta2", "4.1.15.rc1", "4.1.14.1", "4.1.13.rc1", "4.1.10", "4.1.9.rc1", "4.1.6.rc1", "4.0.11.1", "4.0.10", "4.0.6.rc2", "4.0.4.rc1", "4.0.0.rc2", "3.2.15.rc2", "3.2.3.rc1", "3.2.2", "3.2.0", "3.1.8", "3.1.4.rc1", "3.1.0.rc1", "3.0.20", "3.0.17", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.9", "3.0.9.rc5", "3.0.8.rc2", "3.0.6.rc1", "3.0.5", "2.3.18", "3.1.1.rc2", "3.1.0", "3.1.0.rc6", "3.1.0.rc3", "3.0.19", "3.0.4", "3.0.1", "6.0.3.3", "6.0.2.rc2", "5.2.3.rc1", "5.1.3.rc3", "5.1.1", "5.0.0", "5.0.0.racecar1", "5.0.0.beta4", "4.2.10.rc1", "4.2.7.1", "4.2.5.rc2", "4.2.4.rc1", "4.2.2", "4.2.1", "4.2.0", "4.1.10.rc3", "4.1.10.rc2", "4.1.8", "4.1.2.rc1", "4.1.1", "4.1.0.beta1", "4.0.9", "4.0.6.rc1", "3.2.22.2", "3.2.10", "3.2.7", "3.1.7", "6.0.0.beta2", "5.2.4.4", "5.2.1.1", "5.1.3.rc2", "5.0.7.1", "5.0.6.rc1", "5.0.3", "5.0.2.rc1", "5.0.0.rc2", "4.2.11", "4.2.5.2", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.1.12", "4.1.7.1", "4.1.5", "4.1.2.rc2", "4.1.0.rc1", "4.0.13", "4.0.6", "4.0.5", "4.0.1", "4.0.1.rc2", "3.2.21", "3.2.20", "3.2.9.rc3", "3.2.9.rc1", "3.2.4.rc1", "3.2.3.rc2", "3.1.1.rc3", "3.1.0.rc4", "3.0.18", "3.0.16", "3.0.14", "3.0.10", "3.0.9.rc1", "3.0.8", "3.0.8.rc1", "3.0.6", "3.0.4.rc1", "3.0.2", "3.0.0.beta", "2.3.12", "3.1.0.rc2", "3.1.0.beta1", "3.0.10.rc1", "3.0.9.rc3", "3.0.5.rc1", "2.3.14", "2.3.10", "2.3.8.pre1", "2.3.6", "6.0.0.beta3", "5.2.2", "5.2.1", "5.2.0.beta1", "5.1.5", "5.1.2", "5.1.0.beta1", "5.0.7.2", "5.0.5", "5.0.5.rc1", "5.0.1.rc1", "5.0.0.1", "5.0.0.beta3", "5.0.0.beta1.1", "4.2.7", "4.2.7.rc1", "4.2.5", "4.2.0.beta4", "4.2.0.beta3", "4.1.16", "4.1.14", "4.1.3", "4.1.0.rc2", "4.1.0.beta2", "4.0.13.rc1", "4.0.11", "4.0.10.rc2", "4.0.7", "4.0.4", "3.2.22.5", "3.2.15.rc3", "3.2.14.rc2", "3.2.13", "3.2.9", "3.2.8", "3.2.8.rc2", "3.2.2.rc1", "3.2.1", "3.2.0.rc1", "3.1.5.rc1", "3.1.4", "3.1.3", "6.1.0.rc1", "6.0.3.4", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta1", "5.2.3", "5.1.6", "5.1.0", "5.0.0.beta1", "4.2.1.rc4", "4.2.0.beta1", "4.1.15", "4.1.14.rc1", "4.1.7", "4.1.2", "4.1.0", "4.0.0", "3.2.15", "3.2.11", "3.1.2.rc2", "3.1.1.rc1", "3.1.0.rc5", "3.0.8.rc4", "3.0.7.rc1", "2.3.8", "2.3.7", "2.3.6.pre", "3.0.12.rc1", "3.0.7", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta3", "2.3.16", "2.3.15", "2.3.2", "2.1.1", "1.0.2", "2.3.5", "1.4.3", "1.4.2", "1.2.1", "2.3.3", "2.2.3", "2.0.0", "1.4.1", "1.2.4", "1.1.1", "1.1.0", "2.2.2", "2.0.4", "2.0.1", "1.4.0", "1.2.3", "2.3.4", "2.1.2", "1.3.1", "1.2.5", "1.2.2", "1.0.3", "2.1.0", "2.0.2", "1.3.0", "2.0.5", "1.4.4", "1.0.4", "1.0.1", "1.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.0.3.5", "5.2.4.5", "6.1.2.1", "6.1.3", "6.1.3.1", "5.2.5", "6.0.3.6", "6.0.3.7", "6.1.3.2", "5.2.4.6", "5.2.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha1", "7.0.0.alpha2", "7.0.0.rc1", "6.1.4.3", "7.0.0.rc3", "6.0.4.2", "6.1.4.2", "6.0.4.3", "7.0.0.rc2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.5", "6.0.4.6", "5.2.6.1", "5.2.6.2", "6.1.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "6.1.4.7", "5.2.6.3", "6.1.5", "5.2.7", "5.2.7.1", "6.0.4.8", "7.0.2.4", "6.1.5.1", "7.0.3", "5.2.8", "6.0.5", "6.1.6", "6.1.6.1", "5.2.8.1", "6.0.5.1", "7.0.3.1", "6.1.7", "7.0.4", "6.0.6", "7.0.4.1", "6.0.6.1", "6.1.7.1", "6.1.7.2", "7.0.4.2"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Possible File Disclosure of Locally Encrypted Files

Published date: 2023-08-23

Framework: rails

CVE: 2023-38037

CVSS V3: 5.5

Links:

https://github.com/rails/rails/releases/tag/v7.0.7.1

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

Affected versions: ["6.0.2.1", "6.0.2.rc1", "5.2.4.3", "5.2.0", "6.0.3.2", "6.0.3", "5.2.4.1", "5.2.2.rc1", "6.0.3.1", "6.0.2.2", "6.0.0", "6.0.0.rc2", "5.2.4", "5.2.2.1", "5.2.1.rc1", "6.0.3.rc1", "6.0.2", "6.0.1", "5.2.4.2", "5.2.4.rc1", "6.0.3.3", "6.0.2.rc2", "5.2.3.rc1", "6.0.0.beta2", "5.2.4.4", "5.2.1.1", "6.0.0.beta3", "5.2.2", "5.2.1", "6.1.0.rc1", "6.0.3.4", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta1", "5.2.3", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.0.3.5", "5.2.4.5", "6.1.2.1", "6.1.3", "6.1.3.1", "5.2.5", "6.0.3.6", "6.0.3.7", "6.1.3.2", "5.2.4.6", "5.2.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha1", "7.0.0.alpha2", "7.0.0.rc1", "6.1.4.3", "7.0.0.rc3", "6.0.4.2", "6.1.4.2", "6.0.4.3", "7.0.0.rc2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.5", "6.0.4.6", "5.2.6.1", "5.2.6.2", "6.1.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "6.1.4.7", "5.2.6.3", "6.1.5", "5.2.7", "5.2.7.1", "6.0.4.8", "7.0.2.4", "6.1.5.1", "7.0.3", "5.2.8", "6.0.5", "6.1.6", "6.1.6.1", "5.2.8.1", "6.0.5.1", "7.0.3.1", "6.1.7", "7.0.4", "6.0.6", "7.0.4.1", "6.0.6.1", "6.1.7.1", "6.1.7.2", "7.0.4.2", "7.0.4.3", "6.1.7.3", "7.0.5", "6.1.7.4", "7.0.5.1", "7.0.6", "7.0.7"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Published date: 2026-03-23

Framework: rails

CVE: 2026-33169

Links:

https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

Affected versions: ["6.0.2.1", "6.0.2.rc1", "5.2.4.3", "5.2.0", "5.1.7.rc1", "5.0.4", "5.0.0.rc1", "4.2.10", "4.2.8.rc1", "4.2.5.rc1", "4.1.14.2", "4.1.14.rc2", "4.1.11", "4.1.2.rc3", "4.0.12", "4.0.2", "4.0.0.rc1", "3.2.22.3", "3.2.22.1", "3.2.14", "3.2.14.rc1", "3.2.13.rc1", "3.2.12", "3.2.8.rc1", "3.2.6", "3.2.5", "3.2.0.rc2", "6.0.3.2", "6.0.3", "5.2.4.1", "5.2.2.rc1", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.6.2", "5.1.5.rc1", "5.1.4", "5.1.3.rc1", "5.1.0.rc2", "5.0.7", "5.0.1", "5.0.1.rc2", "5.0.0.beta2", "4.2.9.rc1", "4.2.5.1", "4.2.1.rc2", "4.2.1.rc1", "4.1.13", "4.1.4", "4.0.10.rc1", "4.0.8", "4.0.6.rc3", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc1", "4.0.0.beta1", "3.2.22", "3.2.17", "3.2.7.rc1", "3.2.4", "3.2.3", "3.1.10", "3.1.9", "3.1.6", "3.0.15", "3.0.7.rc2", "3.0.3", "3.0.0", "3.1.2.rc1", "3.1.1", "3.1.0.rc8", "3.0.12", "3.0.9.rc4", "3.0.6.rc2", "3.0.0.beta4", "3.0.0.beta2", "3.0.pre", "2.3.17", "2.3.11", "2.3.9", "2.3.9.pre", "6.0.3.1", "6.0.2.2", "6.0.0", "6.0.0.rc2", "5.2.4", "5.2.2.1", "5.2.1.rc1", "5.1.6.1", "5.1.4.rc1", "5.1.3", "5.0.5.rc2", "5.0.4.rc1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.8", "4.2.6.rc1", "4.2.3.rc1", "4.1.16.rc1", "4.1.12.rc1", "4.1.10.rc4", "4.1.10.rc1", "4.1.9", "4.1.6", "4.1.6.rc2", "4.0.3", "3.2.22.4", "3.2.19", "3.2.18", "3.2.16", "3.2.15.rc1", "3.2.13.rc2", "3.2.9.rc2", "3.1.12", "3.1.11", "3.1.5", "3.1.2", "6.0.3.rc1", "6.0.2", "6.0.1", "5.2.4.2", "5.2.4.rc1", "5.2.0.rc1", "5.1.2.rc1", "5.1.0.rc1", "5.0.6", "5.0.2", "4.2.9", "4.2.9.rc2", "4.2.6", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.0.beta2", "4.1.15.rc1", "4.1.14.1", "4.1.13.rc1", "4.1.10", "4.1.9.rc1", "4.1.6.rc1", "4.0.11.1", "4.0.10", "4.0.6.rc2", "4.0.4.rc1", "4.0.0.rc2", "3.2.15.rc2", "3.2.3.rc1", "3.2.2", "3.2.0", "3.1.8", "3.1.4.rc1", "3.1.0.rc1", "3.0.20", "3.0.17", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.9", "3.0.9.rc5", "3.0.8.rc2", "3.0.6.rc1", "3.0.5", "2.3.18", "3.1.1.rc2", "3.1.0", "3.1.0.rc6", "3.1.0.rc3", "3.0.19", "3.0.4", "3.0.1", "6.0.3.3", "6.0.2.rc2", "5.2.3.rc1", "5.1.3.rc3", "5.1.1", "5.0.0", "5.0.0.racecar1", "5.0.0.beta4", "4.2.10.rc1", "4.2.7.1", "4.2.5.rc2", "4.2.4.rc1", "4.2.2", "4.2.1", "4.2.0", "4.1.10.rc3", "4.1.10.rc2", "4.1.8", "4.1.2.rc1", "4.1.1", "4.1.0.beta1", "4.0.9", "4.0.6.rc1", "3.2.22.2", "3.2.10", "3.2.7", "3.1.7", "6.0.0.beta2", "5.2.4.4", "5.2.1.1", "5.1.3.rc2", "5.0.7.1", "5.0.6.rc1", "5.0.3", "5.0.2.rc1", "5.0.0.rc2", "4.2.11", "4.2.5.2", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.1.12", "4.1.7.1", "4.1.5", "4.1.2.rc2", "4.1.0.rc1", "4.0.13", "4.0.6", "4.0.5", "4.0.1", "4.0.1.rc2", "3.2.21", "3.2.20", "3.2.9.rc3", "3.2.9.rc1", "3.2.4.rc1", "3.2.3.rc2", "3.1.1.rc3", "3.1.0.rc4", "3.0.18", "3.0.16", "3.0.14", "3.0.10", "3.0.9.rc1", "3.0.8", "3.0.8.rc1", "3.0.6", "3.0.4.rc1", "3.0.2", "3.0.0.beta", "2.3.12", "3.1.0.rc2", "3.1.0.beta1", "3.0.10.rc1", "3.0.9.rc3", "3.0.5.rc1", "2.3.14", "2.3.10", "2.3.8.pre1", "2.3.6", "6.0.0.beta3", "5.2.2", "5.2.1", "5.2.0.beta1", "5.1.5", "5.1.2", "5.1.0.beta1", "5.0.7.2", "5.0.5", "5.0.5.rc1", "5.0.1.rc1", "5.0.0.1", "5.0.0.beta3", "5.0.0.beta1.1", "4.2.7", "4.2.7.rc1", "4.2.5", "4.2.0.beta4", "4.2.0.beta3", "4.1.16", "4.1.14", "4.1.3", "4.1.0.rc2", "4.1.0.beta2", "4.0.13.rc1", "4.0.11", "4.0.10.rc2", "4.0.7", "4.0.4", "3.2.22.5", "3.2.15.rc3", "3.2.14.rc2", "3.2.13", "3.2.9", "3.2.8", "3.2.8.rc2", "3.2.2.rc1", "3.2.1", "3.2.0.rc1", "3.1.5.rc1", "3.1.4", "3.1.3", "6.1.0.rc1", "6.0.3.4", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta1", "5.2.3", "5.1.6", "5.1.0", "5.0.0.beta1", "4.2.1.rc4", "4.2.0.beta1", "4.1.15", "4.1.14.rc1", "4.1.7", "4.1.2", "4.1.0", "4.0.0", "3.2.15", "3.2.11", "3.1.2.rc2", "3.1.1.rc1", "3.1.0.rc5", "3.0.8.rc4", "3.0.7.rc1", "2.3.8", "2.3.7", "2.3.6.pre", "3.0.12.rc1", "3.0.7", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta3", "2.3.16", "2.3.15", "2.3.2", "2.1.1", "1.0.2", "2.3.5", "1.4.3", "1.4.2", "1.2.1", "2.3.3", "2.2.3", "2.0.0", "1.4.1", "1.2.4", "1.1.1", "1.1.0", "2.2.2", "2.0.4", "2.0.1", "1.4.0", "1.2.3", "2.3.4", "2.1.2", "1.3.1", "1.2.5", "1.2.2", "1.0.3", "2.1.0", "2.0.2", "1.3.0", "2.0.5", "1.4.4", "1.0.4", "1.0.1", "1.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.0.3.5", "5.2.4.5", "6.1.2.1", "6.1.3", "6.1.3.1", "5.2.5", "6.0.3.6", "6.0.3.7", "6.1.3.2", "5.2.4.6", "5.2.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha1", "7.0.0.alpha2", "7.0.0.rc1", "6.1.4.3", "7.0.0.rc3", "6.0.4.2", "6.1.4.2", "6.0.4.3", "7.0.0.rc2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.5", "6.0.4.6", "5.2.6.1", "5.2.6.2", "6.1.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "6.1.4.7", "5.2.6.3", "6.1.5", "5.2.7", "5.2.7.1", "6.0.4.8", "7.0.2.4", "6.1.5.1", "7.0.3", "5.2.8", "6.0.5", "6.1.6", "6.1.6.1", "5.2.8.1", "6.0.5.1", "7.0.3.1", "6.1.7", "7.0.4", "6.0.6", "7.0.4.1", "6.0.6.1", "6.1.7.1", "6.1.7.2", "7.0.4.2", "7.0.4.3", "6.1.7.3", "7.0.5", "6.1.7.4", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.5", "6.1.7.6", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.0.8.1", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.0.8.2", "7.0.8.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.0.8.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.1.4", "7.2.1", "8.0.0.beta1", "7.1.4.1", "6.1.7.9", "7.2.1.1", "7.0.8.5", "8.0.0.rc1", "7.0.8.6", "7.1.4.2", "6.1.7.10", "7.2.1.2", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0", "7.2.2.1", "7.1.5.1", "7.0.8.7", "8.0.0.1", "8.0.1", "8.0.2", "8.0.2.1", "7.2.2.2", "7.1.5.2", "8.1.0.beta1", "8.0.3", "8.1.0.rc1", "8.1.0", "8.1.1", "8.0.4", "7.2.3", "7.1.6", "7.0.10", "7.0.9", "8.1.2"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Published date: 2026-03-23

Framework: rails

CVE: 2026-33170

Links:

https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

Affected versions: ["6.0.2.1", "6.0.2.rc1", "5.2.4.3", "5.2.0", "5.1.7.rc1", "5.0.4", "5.0.0.rc1", "4.2.10", "4.2.8.rc1", "4.2.5.rc1", "4.1.14.2", "4.1.14.rc2", "4.1.11", "4.1.2.rc3", "4.0.12", "4.0.2", "4.0.0.rc1", "3.2.22.3", "3.2.22.1", "3.2.14", "3.2.14.rc1", "3.2.13.rc1", "3.2.12", "3.2.8.rc1", "3.2.6", "3.2.5", "3.2.0.rc2", "6.0.3.2", "6.0.3", "5.2.4.1", "5.2.2.rc1", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.6.2", "5.1.5.rc1", "5.1.4", "5.1.3.rc1", "5.1.0.rc2", "5.0.7", "5.0.1", "5.0.1.rc2", "5.0.0.beta2", "4.2.9.rc1", "4.2.5.1", "4.2.1.rc2", "4.2.1.rc1", "4.1.13", "4.1.4", "4.0.10.rc1", "4.0.8", "4.0.6.rc3", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc1", "4.0.0.beta1", "3.2.22", "3.2.17", "3.2.7.rc1", "3.2.4", "3.2.3", "3.1.10", "3.1.9", "3.1.6", "3.0.15", "3.0.7.rc2", "3.0.3", "3.0.0", "3.1.2.rc1", "3.1.1", "3.1.0.rc8", "3.0.12", "3.0.9.rc4", "3.0.6.rc2", "3.0.0.beta4", "3.0.0.beta2", "3.0.pre", "2.3.17", "2.3.11", "2.3.9", "2.3.9.pre", "6.0.3.1", "6.0.2.2", "6.0.0", "6.0.0.rc2", "5.2.4", "5.2.2.1", "5.2.1.rc1", "5.1.6.1", "5.1.4.rc1", "5.1.3", "5.0.5.rc2", "5.0.4.rc1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.8", "4.2.6.rc1", "4.2.3.rc1", "4.1.16.rc1", "4.1.12.rc1", "4.1.10.rc4", "4.1.10.rc1", "4.1.9", "4.1.6", "4.1.6.rc2", "4.0.3", "3.2.22.4", "3.2.19", "3.2.18", "3.2.16", "3.2.15.rc1", "3.2.13.rc2", "3.2.9.rc2", "3.1.12", "3.1.11", "3.1.5", "3.1.2", "6.0.3.rc1", "6.0.2", "6.0.1", "5.2.4.2", "5.2.4.rc1", "5.2.0.rc1", "5.1.2.rc1", "5.1.0.rc1", "5.0.6", "5.0.2", "4.2.9", "4.2.9.rc2", "4.2.6", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.0.beta2", "4.1.15.rc1", "4.1.14.1", "4.1.13.rc1", "4.1.10", "4.1.9.rc1", "4.1.6.rc1", "4.0.11.1", "4.0.10", "4.0.6.rc2", "4.0.4.rc1", "4.0.0.rc2", "3.2.15.rc2", "3.2.3.rc1", "3.2.2", "3.2.0", "3.1.8", "3.1.4.rc1", "3.1.0.rc1", "3.0.20", "3.0.17", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.9", "3.0.9.rc5", "3.0.8.rc2", "3.0.6.rc1", "3.0.5", "2.3.18", "3.1.1.rc2", "3.1.0", "3.1.0.rc6", "3.1.0.rc3", "3.0.19", "3.0.4", "3.0.1", "6.0.3.3", "6.0.2.rc2", "5.2.3.rc1", "5.1.3.rc3", "5.1.1", "5.0.0", "5.0.0.racecar1", "5.0.0.beta4", "4.2.10.rc1", "4.2.7.1", "4.2.5.rc2", "4.2.4.rc1", "4.2.2", "4.2.1", "4.2.0", "4.1.10.rc3", "4.1.10.rc2", "4.1.8", "4.1.2.rc1", "4.1.1", "4.1.0.beta1", "4.0.9", "4.0.6.rc1", "3.2.22.2", "3.2.10", "3.2.7", "3.1.7", "6.0.0.beta2", "5.2.4.4", "5.2.1.1", "5.1.3.rc2", "5.0.7.1", "5.0.6.rc1", "5.0.3", "5.0.2.rc1", "5.0.0.rc2", "4.2.11", "4.2.5.2", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.1.12", "4.1.7.1", "4.1.5", "4.1.2.rc2", "4.1.0.rc1", "4.0.13", "4.0.6", "4.0.5", "4.0.1", "4.0.1.rc2", "3.2.21", "3.2.20", "3.2.9.rc3", "3.2.9.rc1", "3.2.4.rc1", "3.2.3.rc2", "3.1.1.rc3", "3.1.0.rc4", "3.0.18", "3.0.16", "3.0.14", "3.0.10", "3.0.9.rc1", "3.0.8", "3.0.8.rc1", "3.0.6", "3.0.4.rc1", "3.0.2", "3.0.0.beta", "2.3.12", "3.1.0.rc2", "3.1.0.beta1", "3.0.10.rc1", "3.0.9.rc3", "3.0.5.rc1", "2.3.14", "2.3.10", "2.3.8.pre1", "2.3.6", "6.0.0.beta3", "5.2.2", "5.2.1", "5.2.0.beta1", "5.1.5", "5.1.2", "5.1.0.beta1", "5.0.7.2", "5.0.5", "5.0.5.rc1", "5.0.1.rc1", "5.0.0.1", "5.0.0.beta3", "5.0.0.beta1.1", "4.2.7", "4.2.7.rc1", "4.2.5", "4.2.0.beta4", "4.2.0.beta3", "4.1.16", "4.1.14", "4.1.3", "4.1.0.rc2", "4.1.0.beta2", "4.0.13.rc1", "4.0.11", "4.0.10.rc2", "4.0.7", "4.0.4", "3.2.22.5", "3.2.15.rc3", "3.2.14.rc2", "3.2.13", "3.2.9", "3.2.8", "3.2.8.rc2", "3.2.2.rc1", "3.2.1", "3.2.0.rc1", "3.1.5.rc1", "3.1.4", "3.1.3", "6.1.0.rc1", "6.0.3.4", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta1", "5.2.3", "5.1.6", "5.1.0", "5.0.0.beta1", "4.2.1.rc4", "4.2.0.beta1", "4.1.15", "4.1.14.rc1", "4.1.7", "4.1.2", "4.1.0", "4.0.0", "3.2.15", "3.2.11", "3.1.2.rc2", "3.1.1.rc1", "3.1.0.rc5", "3.0.8.rc4", "3.0.7.rc1", "2.3.8", "2.3.7", "2.3.6.pre", "3.0.12.rc1", "3.0.7", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta3", "2.3.16", "2.3.15", "2.3.2", "2.1.1", "1.0.2", "2.3.5", "1.4.3", "1.4.2", "1.2.1", "2.3.3", "2.2.3", "2.0.0", "1.4.1", "1.2.4", "1.1.1", "1.1.0", "2.2.2", "2.0.4", "2.0.1", "1.4.0", "1.2.3", "2.3.4", "2.1.2", "1.3.1", "1.2.5", "1.2.2", "1.0.3", "2.1.0", "2.0.2", "1.3.0", "2.0.5", "1.4.4", "1.0.4", "1.0.1", "1.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.0.3.5", "5.2.4.5", "6.1.2.1", "6.1.3", "6.1.3.1", "5.2.5", "6.0.3.6", "6.0.3.7", "6.1.3.2", "5.2.4.6", "5.2.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha1", "7.0.0.alpha2", "7.0.0.rc1", "6.1.4.3", "7.0.0.rc3", "6.0.4.2", "6.1.4.2", "6.0.4.3", "7.0.0.rc2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.5", "6.0.4.6", "5.2.6.1", "5.2.6.2", "6.1.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "6.1.4.7", "5.2.6.3", "6.1.5", "5.2.7", "5.2.7.1", "6.0.4.8", "7.0.2.4", "6.1.5.1", "7.0.3", "5.2.8", "6.0.5", "6.1.6", "6.1.6.1", "5.2.8.1", "6.0.5.1", "7.0.3.1", "6.1.7", "7.0.4", "6.0.6", "7.0.4.1", "6.0.6.1", "6.1.7.1", "6.1.7.2", "7.0.4.2", "7.0.4.3", "6.1.7.3", "7.0.5", "6.1.7.4", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.5", "6.1.7.6", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.0.8.1", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.0.8.2", "7.0.8.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.0.8.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.1.4", "7.2.1", "8.0.0.beta1", "7.1.4.1", "6.1.7.9", "7.2.1.1", "7.0.8.5", "8.0.0.rc1", "7.0.8.6", "7.1.4.2", "6.1.7.10", "7.2.1.2", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0", "7.2.2.1", "7.1.5.1", "7.0.8.7", "8.0.0.1", "8.0.1", "8.0.2", "8.0.2.1", "7.2.2.2", "7.1.5.2", "8.1.0.beta1", "8.0.3", "8.1.0.rc1", "8.1.0", "8.1.1", "8.0.4", "7.2.3", "7.1.6", "7.0.10", "7.0.9", "8.1.2"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Rails Active Support has a possible DoS vulnerability in its number helpers

Published date: 2026-03-23

Framework: rails

CVE: 2026-33176

Links:

https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Affected versions: ["6.0.2.1", "6.0.2.rc1", "5.2.4.3", "5.2.0", "5.1.7.rc1", "5.0.4", "5.0.0.rc1", "4.2.10", "4.2.8.rc1", "4.2.5.rc1", "4.1.14.2", "4.1.14.rc2", "4.1.11", "4.1.2.rc3", "4.0.12", "4.0.2", "4.0.0.rc1", "3.2.22.3", "3.2.22.1", "3.2.14", "3.2.14.rc1", "3.2.13.rc1", "3.2.12", "3.2.8.rc1", "3.2.6", "3.2.5", "3.2.0.rc2", "6.0.3.2", "6.0.3", "5.2.4.1", "5.2.2.rc1", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.6.2", "5.1.5.rc1", "5.1.4", "5.1.3.rc1", "5.1.0.rc2", "5.0.7", "5.0.1", "5.0.1.rc2", "5.0.0.beta2", "4.2.9.rc1", "4.2.5.1", "4.2.1.rc2", "4.2.1.rc1", "4.1.13", "4.1.4", "4.0.10.rc1", "4.0.8", "4.0.6.rc3", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc1", "4.0.0.beta1", "3.2.22", "3.2.17", "3.2.7.rc1", "3.2.4", "3.2.3", "3.1.10", "3.1.9", "3.1.6", "3.0.15", "3.0.7.rc2", "3.0.3", "3.0.0", "3.1.2.rc1", "3.1.1", "3.1.0.rc8", "3.0.12", "3.0.9.rc4", "3.0.6.rc2", "3.0.0.beta4", "3.0.0.beta2", "3.0.pre", "2.3.17", "2.3.11", "2.3.9", "2.3.9.pre", "6.0.3.1", "6.0.2.2", "6.0.0", "6.0.0.rc2", "5.2.4", "5.2.2.1", "5.2.1.rc1", "5.1.6.1", "5.1.4.rc1", "5.1.3", "5.0.5.rc2", "5.0.4.rc1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.8", "4.2.6.rc1", "4.2.3.rc1", "4.1.16.rc1", "4.1.12.rc1", "4.1.10.rc4", "4.1.10.rc1", "4.1.9", "4.1.6", "4.1.6.rc2", "4.0.3", "3.2.22.4", "3.2.19", "3.2.18", "3.2.16", "3.2.15.rc1", "3.2.13.rc2", "3.2.9.rc2", "3.1.12", "3.1.11", "3.1.5", "3.1.2", "6.0.3.rc1", "6.0.2", "6.0.1", "5.2.4.2", "5.2.4.rc1", "5.2.0.rc1", "5.1.2.rc1", "5.1.0.rc1", "5.0.6", "5.0.2", "4.2.9", "4.2.9.rc2", "4.2.6", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.0.beta2", "4.1.15.rc1", "4.1.14.1", "4.1.13.rc1", "4.1.10", "4.1.9.rc1", "4.1.6.rc1", "4.0.11.1", "4.0.10", "4.0.6.rc2", "4.0.4.rc1", "4.0.0.rc2", "3.2.15.rc2", "3.2.3.rc1", "3.2.2", "3.2.0", "3.1.8", "3.1.4.rc1", "3.1.0.rc1", "3.0.20", "3.0.17", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.9", "3.0.9.rc5", "3.0.8.rc2", "3.0.6.rc1", "3.0.5", "2.3.18", "3.1.1.rc2", "3.1.0", "3.1.0.rc6", "3.1.0.rc3", "3.0.19", "3.0.4", "3.0.1", "6.0.3.3", "6.0.2.rc2", "5.2.3.rc1", "5.1.3.rc3", "5.1.1", "5.0.0", "5.0.0.racecar1", "5.0.0.beta4", "4.2.10.rc1", "4.2.7.1", "4.2.5.rc2", "4.2.4.rc1", "4.2.2", "4.2.1", "4.2.0", "4.1.10.rc3", "4.1.10.rc2", "4.1.8", "4.1.2.rc1", "4.1.1", "4.1.0.beta1", "4.0.9", "4.0.6.rc1", "3.2.22.2", "3.2.10", "3.2.7", "3.1.7", "6.0.0.beta2", "5.2.4.4", "5.2.1.1", "5.1.3.rc2", "5.0.7.1", "5.0.6.rc1", "5.0.3", "5.0.2.rc1", "5.0.0.rc2", "4.2.11", "4.2.5.2", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.1.12", "4.1.7.1", "4.1.5", "4.1.2.rc2", "4.1.0.rc1", "4.0.13", "4.0.6", "4.0.5", "4.0.1", "4.0.1.rc2", "3.2.21", "3.2.20", "3.2.9.rc3", "3.2.9.rc1", "3.2.4.rc1", "3.2.3.rc2", "3.1.1.rc3", "3.1.0.rc4", "3.0.18", "3.0.16", "3.0.14", "3.0.10", "3.0.9.rc1", "3.0.8", "3.0.8.rc1", "3.0.6", "3.0.4.rc1", "3.0.2", "3.0.0.beta", "2.3.12", "3.1.0.rc2", "3.1.0.beta1", "3.0.10.rc1", "3.0.9.rc3", "3.0.5.rc1", "2.3.14", "2.3.10", "2.3.8.pre1", "2.3.6", "6.0.0.beta3", "5.2.2", "5.2.1", "5.2.0.beta1", "5.1.5", "5.1.2", "5.1.0.beta1", "5.0.7.2", "5.0.5", "5.0.5.rc1", "5.0.1.rc1", "5.0.0.1", "5.0.0.beta3", "5.0.0.beta1.1", "4.2.7", "4.2.7.rc1", "4.2.5", "4.2.0.beta4", "4.2.0.beta3", "4.1.16", "4.1.14", "4.1.3", "4.1.0.rc2", "4.1.0.beta2", "4.0.13.rc1", "4.0.11", "4.0.10.rc2", "4.0.7", "4.0.4", "3.2.22.5", "3.2.15.rc3", "3.2.14.rc2", "3.2.13", "3.2.9", "3.2.8", "3.2.8.rc2", "3.2.2.rc1", "3.2.1", "3.2.0.rc1", "3.1.5.rc1", "3.1.4", "3.1.3", "6.1.0.rc1", "6.0.3.4", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta1", "5.2.3", "5.1.6", "5.1.0", "5.0.0.beta1", "4.2.1.rc4", "4.2.0.beta1", "4.1.15", "4.1.14.rc1", "4.1.7", "4.1.2", "4.1.0", "4.0.0", "3.2.15", "3.2.11", "3.1.2.rc2", "3.1.1.rc1", "3.1.0.rc5", "3.0.8.rc4", "3.0.7.rc1", "2.3.8", "2.3.7", "2.3.6.pre", "3.0.12.rc1", "3.0.7", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta3", "2.3.16", "2.3.15", "2.3.2", "2.1.1", "1.0.2", "2.3.5", "1.4.3", "1.4.2", "1.2.1", "2.3.3", "2.2.3", "2.0.0", "1.4.1", "1.2.4", "1.1.1", "1.1.0", "2.2.2", "2.0.4", "2.0.1", "1.4.0", "1.2.3", "2.3.4", "2.1.2", "1.3.1", "1.2.5", "1.2.2", "1.0.3", "2.1.0", "2.0.2", "1.3.0", "2.0.5", "1.4.4", "1.0.4", "1.0.1", "1.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.0.3.5", "5.2.4.5", "6.1.2.1", "6.1.3", "6.1.3.1", "5.2.5", "6.0.3.6", "6.0.3.7", "6.1.3.2", "5.2.4.6", "5.2.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha1", "7.0.0.alpha2", "7.0.0.rc1", "6.1.4.3", "7.0.0.rc3", "6.0.4.2", "6.1.4.2", "6.0.4.3", "7.0.0.rc2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.5", "6.0.4.6", "5.2.6.1", "5.2.6.2", "6.1.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "6.1.4.7", "5.2.6.3", "6.1.5", "5.2.7", "5.2.7.1", "6.0.4.8", "7.0.2.4", "6.1.5.1", "7.0.3", "5.2.8", "6.0.5", "6.1.6", "6.1.6.1", "5.2.8.1", "6.0.5.1", "7.0.3.1", "6.1.7", "7.0.4", "6.0.6", "7.0.4.1", "6.0.6.1", "6.1.7.1", "6.1.7.2", "7.0.4.2", "7.0.4.3", "6.1.7.3", "7.0.5", "6.1.7.4", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.5", "6.1.7.6", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.0.8.1", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.0.8.2", "7.0.8.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.0.8.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.1.4", "7.2.1", "8.0.0.beta1", "7.1.4.1", "6.1.7.9", "7.2.1.1", "7.0.8.5", "8.0.0.rc1", "7.0.8.6", "7.1.4.2", "6.1.7.10", "7.2.1.2", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0", "7.2.2.1", "7.1.5.1", "7.0.8.7", "8.0.0.1", "8.0.1", "8.0.2", "8.0.2.1", "7.2.2.2", "7.1.5.2", "8.1.0.beta1", "8.0.3", "8.1.0.rc1", "8.1.0", "8.1.1", "8.0.4", "7.2.3", "7.1.6", "7.0.10", "7.0.9", "8.1.2"]

Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]

Recommendation: Update to version 8.1.3.

Version	License	Security	Released
1.0.1	UNKNOWN	19	2009-07-25 - 18:35	almost 17 years
1.0.0	UNKNOWN	19	2009-07-25 - 18:35	almost 17 years

Ruby/activesupport/6.1.7.1

10 Security Vulnerabilities

Impact

Releases

Credit

Impact

Releases

Credit

Impact

Releases

Credit

Impact

Releases

Workarounds

Impact

Workarounds

Impact

Workarounds

Impact

Releases

Workarounds

Impact

Releases

Impact

Releases

Impact

Releases

502 Other Versions