PT-2021-5826 · Ruby On Rails+4 · Active Record+4

Dee-See

Published

2021-02-11

Updated

2025-09-29

CVE-2021-22880

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Active Record versions prior to 6.1.2.1 Active Record versions prior to 6.0.3.5 Active Record versions prior to 5.2.4.5

Description The PostgreSQL adapter in Active Record suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Recommendations For versions prior to 6.1.2.1, update to version 6.1.2.1 or later. For versions prior to 6.0.3.5, update to version 6.0.3.5 or later. For versions prior to 5.2.4.5, update to version 5.2.4.5 or later. As a temporary workaround, consider restricting the use of the money type in the PostgreSQL adapter to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-2595

ALT-PU-2023-4268

ALT-PU-2024-7814

BDU:2022-00323

CVE-2021-22880

DSA-4929-1

GHSA-8HC4-XXM3-5PPP

OPENSUSE-SU-2021:1468-1

OPENSUSE-SU-2021:3634-1

OPENSUSE-SU-2021_1468-1

OPENSUSE-SU-2021_3634-1

OPENSUSE-SU-2024:11326-1

OPENSUSE-SU-2024:11327-1

OPENSUSE-SU-2024:11826-1

SUSE-SU-2021:3267-1

SUSE-SU-2021:3634-1

SUSE-SU-2021_3634-1

Affected Products

Alt Linux

Active Record

Astra Linux

Postgresql

Suse

PT-2021-5826 · Ruby On Rails+4 · Active Record+4

CVE-2021-22880

Weakness Enumeration

Related Identifiers

Affected Products

References · 38