CVE-2026-33169: CVE-2026-33169: Regular Expression Denial of Service (ReDoS) in ActiveSupport Number Formatting

CVE-2026-33169: Regular Expression Denial of Service (ReDoS) in ActiveSupport Number Formatting Vulnerability ID: CVE-2026-33169 CVSS Score: 6.9 Published: 2026-03-23 CVE-2026-33169 is a Regular Expression Denial of Service (ReDoS) vulnerability in the ActiveSupport component of Ruby on Rails. The flaw exists within the NumberToDelimitedConverter class, where an inefficient regular expression used for formatting numeric strings exhibits quadratic time complexity. An attacker can trigger this vulnerability by supplying excessively long numeric strings, leading to CPU exhaustion and application denial of service. TL;DR A ReDoS vulnerability in Rails ActiveSupport number_to_delimited allows unauthenticated attackers to exhaust server CPU resources via excessively long numeric inputs, causing denial of service. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-1333, CWE-400 Attack Vector : Network CVSS 4.0 : 6.9 Impact : Denial of Service (DoS) Exploit Status : PoC (Payload generation