{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35611", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:38:08.707Z", "dateUpdated": "2026-04-07T16:38:08.707Z"}, "containers": {"cna": {"title": "Addressable has a Regular Expression Denial of Service in Addressable templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4"}], "affected": [{"vendor": "sporkmonger", "product": "addressable", "versions": [{"version": ">= 2.3.0, < 2.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:38:08.707Z"}, "descriptions": [{"lang": "en", "value": "Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0."}], "source": {"advisory": "GHSA-h27x-rffw-24p4", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0."}], "id": "CVE-2026-35611", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:35.427", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "addressable: Addressable: Denial of Service via crafted URI templates", "id": "2456062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456062"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["A flaw was found in Addressable. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by providing a maliciously crafted Uniform Resource Identifier (URI) to the URI template implementation. Specifically, certain URI templates using the explode modifier or multiple variables with the plus or hash operators generate regular expressions vulnerable to catastrophic backtracking, leading to uncontrolled resource consumption."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-35611", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/toolbox", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/toolbox-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/toolbox-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2026-04-07T16:38:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35611\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35611\nhttps://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "addressable", "source": "cna", "vendor": "sporkmonger"}, "product": "addressable", "vendor": "sporkmonger"}], "analysis": {"en": {"generated_at": "2026-04-07T23:19:38.030030+00:00", "value": {"mitigation_remediation": ["Upgrade Addressable to version 2.9.0 or newer", "Verify that all dependent libraries use the patched version", "If an upgrade is not immediately feasible, restrict or sanitize template and URI input to eliminate complex patterns that trigger backtracking", "Monitor CPU and memory usage for anomalous spikes that may indicate exploitation attempts", "If possible, temporarily disable or ban the use of the vulnerable template features until a patch can be applied"], "summary": {"action": "Patch immediately", "impact": "Denial of service via regex backtracking"}, "threat_synthesis": {"affected_systems": "The sporkmonger Addressable library is affected in all releases from 2.3.0 up to, but not including, 2.9.0. These versions remain vulnerable until the fix delivered in 2.9.0, which removes the problematic regex construction.", "description_and_impact": "Addressable, a Ruby library for URI handling, contains a bug in its URI template implementation. Two categories of templates construct regular expressions with nested unbounded quantifiers, which trigger exponential backtracking when matching maliciously crafted strings. The resulting CPU and memory exhaustion can bring services to a halt.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating a moderate to high risk. EPSS data is not available and the issue is not listed in the KEV catalog. The attack vector is inferred to be remote: any application that processes user\u2011supplied templates or URIs through Addressable can be targeted by sending specially crafted input that causes catastrophic backtracking, resulting in denial of service."}}}}, "created": "2026-04-08T19:36:47.066318+00:00", "updated": "2026-04-08T19:47:50.405185+00:00", "vendors": ["sporkmonger", "sporkmonger$PRODUCT$addressable"]}