GHSA-2j26-frm8-cmj9

Suggest an improvement
Source
https://github.com/advisories/GHSA-2j26-frm8-cmj9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2j26-frm8-cmj9/GHSA-2j26-frm8-cmj9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2j26-frm8-cmj9
Aliases
Downstream
Related
Published
2026-03-23T21:15:16Z
Modified
2026-03-25T20:47:37.057053Z
Severity
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Rails Active Support has a possible DoS vulnerability in its number helpers
Details

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T21:15:16Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-24T00:16:28Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ]
}
References

Affected packages

RubyGems / activesupport

Package

Name
activesupport
Purl
pkg:gem/activesupport

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.1.0.beta1
Fixed
8.1.2.1

Affected versions

8.*
8.1.0.beta1
8.1.0.rc1
8.1.0
8.1.1
8.1.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2j26-frm8-cmj9/GHSA-2j26-frm8-cmj9.json"

RubyGems / activesupport

Package

Name
activesupport
Purl
pkg:gem/activesupport

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0.beta1
Fixed
8.0.4.1

Affected versions

8.*
8.0.0.beta1
8.0.0.rc1
8.0.0.rc2
8.0.0
8.0.0.1
8.0.1
8.0.2
8.0.2.1
8.0.3
8.0.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2j26-frm8-cmj9/GHSA-2j26-frm8-cmj9.json"

RubyGems / activesupport

Package

Name
activesupport
Purl
pkg:gem/activesupport

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.2.3.1

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.1.1
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6.pre
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
2.3.11
2.3.12
2.3.14
2.3.15
2.3.16
2.3.17
2.3.18
3.*
3.0.0.beta
3.0.0.beta2
3.0.0.beta3
3.0.0.beta4
3.0.pre
3.0.0.rc
3.0.0.rc2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.1.0.beta1
3.1.0.rc1
3.1.0.rc2
3.1.0.rc3
3.1.0.rc4
3.1.0.rc5
3.1.0.rc6
3.1.0.rc8
3.1.0
3.1.1.rc1
3.1.1.rc2
3.1.1.rc3
3.1.1
3.1.2.rc1
3.1.2.rc2
3.1.2
3.1.3
3.1.4.rc1
3.1.4
3.1.5.rc1
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.2.0.rc1
3.2.0.rc2
3.2.0
3.2.1
3.2.2.rc1
3.2.2
3.2.3.rc1
3.2.3.rc2
3.2.3
3.2.4.rc1
3.2.4
3.2.5
3.2.6
3.2.7.rc1
3.2.7
3.2.8.rc1
3.2.8.rc2
3.2.8
3.2.9.rc1
3.2.9.rc2
3.2.9.rc3
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13.rc1
3.2.13.rc2
3.2.13
3.2.14.rc1
3.2.14.rc2
3.2.14
3.2.15.rc1
3.2.15.rc2
3.2.15.rc3
3.2.15
3.2.16
3.2.17
3.2.18
3.2.19
3.2.20
3.2.21
3.2.22
3.2.22.1
3.2.22.2
3.2.22.3
3.2.22.4
3.2.22.5
4.*
4.0.0.beta1
4.0.0.rc1
4.0.0.rc2
4.0.0
4.0.1.rc1
4.0.1.rc2
4.0.1.rc3
4.0.1.rc4
4.0.1
4.0.2
4.0.3
4.0.4.rc1
4.0.4
4.0.5
4.0.6.rc1
4.0.6.rc2
4.0.6.rc3
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10.rc1
4.0.10.rc2
4.0.10
4.0.11
4.0.11.1
4.0.12
4.0.13.rc1
4.0.13
4.1.0.beta1
4.1.0.beta2
4.1.0.rc1
4.1.0.rc2
4.1.0
4.1.1
4.1.2.rc1
4.1.2.rc2
4.1.2.rc3
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6.rc1
4.1.6.rc2
4.1.6
4.1.7
4.1.7.1
4.1.8
4.1.9.rc1
4.1.9
4.1.10.rc1
4.1.10.rc2
4.1.10.rc3
4.1.10.rc4
4.1.10
4.1.11
4.1.12.rc1
4.1.12
4.1.13.rc1
4.1.13
4.1.14.rc1
4.1.14.rc2
4.1.14
4.1.14.1
4.1.14.2
4.1.15.rc1
4.1.15
4.1.16.rc1
4.1.16
4.2.0.beta1
4.2.0.beta2
4.2.0.beta3
4.2.0.beta4
4.2.0.rc1
4.2.0.rc2
4.2.0.rc3
4.2.0
4.2.1.rc1
4.2.1.rc2
4.2.1.rc3
4.2.1.rc4
4.2.1
4.2.2
4.2.3.rc1
4.2.3
4.2.4.rc1
4.2.4
4.2.5.rc1
4.2.5.rc2
4.2.5
4.2.5.1
4.2.5.2
4.2.6.rc1
4.2.6
4.2.7.rc1
4.2.7
4.2.7.1
4.2.8.rc1
4.2.8
4.2.9.rc1
4.2.9.rc2
4.2.9
4.2.10.rc1
4.2.10
4.2.11
4.2.11.1
4.2.11.2
4.2.11.3
5.*
5.0.0.beta1
5.0.0.beta1.1
5.0.0.beta2
5.0.0.beta3
5.0.0.beta4
5.0.0.racecar1
5.0.0.rc1
5.0.0.rc2
5.0.0
5.0.0.1
5.0.1.rc1
5.0.1.rc2
5.0.1
5.0.2.rc1
5.0.2
5.0.3
5.0.4.rc1
5.0.4
5.0.5.rc1
5.0.5.rc2
5.0.5
5.0.6.rc1
5.0.6
5.0.7
5.0.7.1
5.0.7.2
5.1.0.beta1
5.1.0.rc1
5.1.0.rc2
5.1.0
5.1.1
5.1.2.rc1
5.1.2
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.3
5.1.4.rc1
5.1.4
5.1.5.rc1
5.1.5
5.1.6
5.1.6.1
5.1.6.2
5.1.7.rc1
5.1.7
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.5
5.2.6
5.2.6.1
5.2.6.2
5.2.6.3
5.2.7
5.2.7.1
5.2.8
5.2.8.1
6.*
6.0.0.beta1
6.0.0.beta2
6.0.0.beta3
6.0.0.rc1
6.0.0.rc2
6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6
6.0.4.7
6.0.4.8
6.0.5
6.0.5.1
6.0.6
6.0.6.1
6.1.0.rc1
6.1.0.rc2
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6
6.1.4.7
6.1.5
6.1.5.1
6.1.6
6.1.6.1
6.1.7
6.1.7.1
6.1.7.2
6.1.7.3
6.1.7.4
6.1.7.5
6.1.7.6
6.1.7.7
6.1.7.8
6.1.7.9
6.1.7.10
7.*
7.0.0.alpha1
7.0.0.alpha2
7.0.0.rc1
7.0.0.rc2
7.0.0.rc3
7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2
7.0.2.3
7.0.2.4
7.0.3
7.0.3.1
7.0.4
7.0.4.1
7.0.4.2
7.0.4.3
7.0.5
7.0.5.1
7.0.6
7.0.7
7.0.7.1
7.0.7.2
7.0.8
7.0.8.1
7.0.8.2
7.0.8.3
7.0.8.4
7.0.8.5
7.0.8.6
7.0.8.7
7.0.9
7.0.10
7.1.0.beta1
7.1.0.rc1
7.1.0.rc2
7.1.0
7.1.1
7.1.2
7.1.3
7.1.3.1
7.1.3.2
7.1.3.3
7.1.3.4
7.1.4
7.1.4.1
7.1.4.2
7.1.5
7.1.5.1
7.1.5.2
7.1.6
7.2.0.beta1
7.2.0.beta2
7.2.0.beta3
7.2.0.rc1
7.2.0
7.2.1
7.2.1.1
7.2.1.2
7.2.2
7.2.2.1
7.2.2.2
7.2.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2j26-frm8-cmj9/GHSA-2j26-frm8-cmj9.json"