GHSA-h27x-rffw-24p4 · Severity: high · Ecosystem: rubygems — Addressable has a Regular Expression Denial of Service in Addressable templates
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
Conclusion & alert: CVE-2026-35611 is rated Moderate Risk (40/100): CVSS High severity, with low exploitation likelihood (EPSS 0.36%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.03% | 0.36% | +0.33% |
| 2 | 2026-05-22 | 0.05% | 0.03% | -0.02% |
| 3 | 2026-04-13 | — | 0.05% | — |
Full EPSS history (4 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-h27x-rffw-24p4 · Severity: high · Ecosystem: rubygems — Addressable has a Regular Expression Denial of Service in Addressable templates
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-35611 not yet assigned priority: Debian including 1 source packages (ruby-addressable), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 5. | https://security-tracker.debian.org/tracker/CVE-2026-35611 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-35611 |
suse
|
medium | — | https://www.suse.com/security/cve/CVE-2026-35611/ |
ubuntu
|
medium | CVE-2026-35611 medium priority: Ubuntu including 1 source packages (ruby-addressable), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 7. | https://ubuntu.com/security/CVE-2026-35611 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| addressable_project | addressable | >= 2.3.0, < 2.9.0 | cpe:2.3:a:addressable_project:addressable:*:*:*:*:*:ruby:*:* |
| URL | Tags |
|---|---|
| https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4 | Mitigation Vendor Advisory |