CVE-2023-22796

Name of the Vulnerable Software and Affected Versions Active Support versions prior to 6.1.7.1 Active Support versions prior to 7.0.4.1

Description The issue is related to insufficient input validation in the Inflector.underscore method, which can lead to a regular expression based DoS vulnerability. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking, resulting in high CPU and memory usage, and potentially leading to a denial of service. This affects methods such as String#underscore, ActiveSupport::Inflector.underscore, and String#titleize.

Recommendations For Active Support versions prior to 6.1.7.1, upgrade to version 6.1.7.1 or apply the patch 6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch. For Active Support versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or apply the patch 7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch. As a temporary workaround for users on Ruby 3.2.0 or greater, consider configuring Regexp.timeout to reduce the impact of the issue.