OESA-2026-1967

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1967
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-1967
Upstream
  • CVE-2026-35611
Published
2026-04-17T13:02:43Z
Modified
2026-04-17T13:20:42.650441Z
Summary
rubygem-addressable security update
Details

Addressable is a replacement for the URI implementation that is part of Ruby's standard library. It more closely conforms to the relevant RFCs and adds support for URI and URL templates.

Security Fix(es):

Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:

  1. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI.
  2. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables.

When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0.

Users of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected.(CVE-2026-35611)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4
rubygem-addressable

Package

Name
rubygem-addressable
Purl
pkg:rpm/openEuler/rubygem-addressable&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.2-3.oe2003sp4

Ecosystem specific 

{
    "src": [
        "rubygem-addressable-2.5.2-3.oe2003sp4.src.rpm"
    ],
    "noarch": [
        "rubygem-addressable-2.5.2-3.oe2003sp4.noarch.rpm",
        "rubygem-addressable-doc-2.5.2-3.oe2003sp4.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json"
openEuler:22.03-LTS-SP4
rubygem-addressable

Package

Name
rubygem-addressable
Purl
pkg:rpm/openEuler/rubygem-addressable&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.0-2.oe2203sp4

Ecosystem specific 

{
    "src": [
        "rubygem-addressable-2.8.0-2.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "rubygem-addressable-2.8.0-2.oe2203sp4.noarch.rpm",
        "rubygem-addressable-doc-2.8.0-2.oe2203sp4.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json"
openEuler:24.03-LTS
rubygem-addressable

Package

Name
rubygem-addressable
Purl
pkg:rpm/openEuler/rubygem-addressable&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.6-2.oe2403

Ecosystem specific 

{
    "src": [
        "rubygem-addressable-2.8.6-2.oe2403sp1.src.rpm",
        "rubygem-addressable-2.8.6-2.oe2403sp2.src.rpm",
        "rubygem-addressable-2.8.6-2.oe2403sp3.src.rpm",
        "rubygem-addressable-2.8.6-2.oe2403.src.rpm"
    ],
    "noarch": [
        "rubygem-addressable-2.8.6-2.oe2403sp1.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403sp1.noarch.rpm",
        "rubygem-addressable-2.8.6-2.oe2403sp2.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403sp2.noarch.rpm",
        "rubygem-addressable-2.8.6-2.oe2403sp3.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403sp3.noarch.rpm",
        "rubygem-addressable-2.8.6-2.oe2403.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json"
openEuler:24.03-LTS-SP1
rubygem-addressable

Package

Name
rubygem-addressable
Purl
pkg:rpm/openEuler/rubygem-addressable&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.6-2.oe2403sp1

Ecosystem specific 

{
    "src": [
        "rubygem-addressable-2.8.6-2.oe2403sp1.src.rpm"
    ],
    "noarch": [
        "rubygem-addressable-2.8.6-2.oe2403sp1.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403sp1.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json"
openEuler:24.03-LTS-SP2
rubygem-addressable

Package

Name
rubygem-addressable
Purl
pkg:rpm/openEuler/rubygem-addressable&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.6-2.oe2403sp2

Ecosystem specific 

{
    "src": [
        "rubygem-addressable-2.8.6-2.oe2403sp2.src.rpm"
    ],
    "noarch": [
        "rubygem-addressable-2.8.6-2.oe2403sp2.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403sp2.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json"
openEuler:24.03-LTS-SP3
rubygem-addressable

Package

Name
rubygem-addressable
Purl
pkg:rpm/openEuler/rubygem-addressable&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.6-2.oe2403sp3

Ecosystem specific 

{
    "src": [
        "rubygem-addressable-2.8.6-2.oe2403sp3.src.rpm"
    ],
    "noarch": [
        "rubygem-addressable-2.8.6-2.oe2403sp3.noarch.rpm",
        "rubygem-addressable-doc-2.8.6-2.oe2403sp3.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1967.json"