Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (activesupport version) |
Remediation Possible** |
| CVE-2026-33176 |
 High |
7.5 |
activesupport-7.2.3.gem |
Direct |
https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v7.2.3.1,https://github.com/rails/rails.git - v8.0.5,https://github.com/rails/rails.git - v8.1.2.1 |
✅ |
| CVE-2026-33169 |
 Medium |
5.3 |
activesupport-7.2.3.gem |
Direct |
https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1 |
✅ |
| CVE-2026-33170 |
Medium |
4.3 |
activesupport-7.2.3.gem |
Direct |
https://github.com/rails/rails.git - v7.2.3.1,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.5 |
✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33176
Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Dependency Hierarchy:
- ❌ activesupport-7.2.3.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. "1e10000"), which "BigDecimal" expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33176
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: rails/rails@19dbab5
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v7.2.3.1,https://github.com/rails/rails.git - v8.0.5,https://github.com/rails/rails.git - v8.1.2.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-33169
Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Dependency Hierarchy:
- ❌ activesupport-7.2.3.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. "NumberToDelimitedConverter" uses a lookahead-based regular expression with "gsub!" to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and "gsub!" can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33169
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: rails/rails@b54a4b3
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-33170
Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Dependency Hierarchy:
- ❌ activesupport-7.2.3.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, "SafeBuffer#%" does not propagate the "@html_unsafe" flag to the newly created buffer. If a "SafeBuffer" is mutated in place (e.g. via "gsub!") and then formatted with "%" using untrusted arguments, the result incorrectly reports "html_safe? == true", bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33170
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: rails/rails@6e8a811
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v7.2.3.1,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.5
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. "1e10000"), which "BigDecimal" expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33176
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: rails/rails@19dbab5
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v7.2.3.1,https://github.com/rails/rails.git - v8.0.5,https://github.com/rails/rails.git - v8.1.2.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. "NumberToDelimitedConverter" uses a lookahead-based regular expression with "gsub!" to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and "gsub!" can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33169
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: rails/rails@b54a4b3
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - activesupport-7.2.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.2.3.gem
Path to dependency file: /example/Gemfile.lock
Path to vulnerable library: /example/Gemfile.lock
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, "SafeBuffer#%" does not propagate the "@html_unsafe" flag to the newly created buffer. If a "SafeBuffer" is mutated in place (e.g. via "gsub!") and then formatted with "%" using untrusted arguments, the result incorrectly reports "html_safe? == true", bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Publish Date: 2026-03-23
URL: CVE-2026-33170
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: rails/rails@6e8a811
Release Date: 2026-03-23
Fix Resolution: https://github.com/rails/rails.git - v7.2.3.1,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.5
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.