Activesupport

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:rails:activesupport:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorRails (c2f75d8c-3de5-5ca8-bae8-6b2589edf586)
ProductActivesupport (55181f07-4052-53e5-b37f-965693ca4aee)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-33176 vulnerable 2026-06-08 07:59:09.295821 Rails Active Support has a possible DoS vulnerability in its number helpers
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23T23:29:27.933Z
Updated: 2026-03-24T18:42:48.858Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33170 vulnerable 2026-06-08 07:59:09.279049 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23T23:09:48.923Z
Updated: 2026-03-25T19:20:28.280Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33169 vulnerable 2026-06-08 07:59:09.277578 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23T23:07:07.630Z
Updated: 2026-03-24T15:46:43.465Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38037 vulnerable 2026-06-08 06:08:16.792559 Details available
MEDIUM (5.5)
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately.
Published: 2025-01-09T00:33:47.704Z
Updated: 2025-02-15T00:10:27.790Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-28120 vulnerable 2026-06-08 06:01:09.694353 Details available
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
Published: 2025-01-09T00:33:47.658Z
Updated: 2025-01-09T21:46:38.220Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.