CVE-2023-22796

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Active Support versions prior to 6.1.7.1 Active Support versions prior to 7.0.4.1

Description The issue is related to insufficient input validation in the Inflector.underscore method, which can lead to a regular expression based DoS vulnerability. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking, resulting in high CPU and memory usage, and potentially leading to a denial of service. This affects methods such as String#underscore, ActiveSupport::Inflector.underscore, and String#titleize.

Recommendations For Active Support versions prior to 6.1.7.1, upgrade to version 6.1.7.1 or apply the patch 6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch. For Active Support versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or apply the patch 7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch. As a temporary workaround for users on Ruby 3.2.0 or greater, consider configuring Regexp.timeout to reduce the impact of the issue.

Exploit

Fix

DoS

RCE

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-20CWE-400

Related Identifiers

ALSA-2025_16880

ALT-PU-2023-1336

ALT-PU-2023-4268

ALT-PU-2024-7814

BDU:2025-01403

CVE-2023-22796

DSA-5372-1

GHSA-J6GC-792M-QGM2

OESA-2023-1130

OESA-2023-1140

OESA-2023-1145

OESA-2023-1154

OPENSUSE-SU-2023_0275-1

OPENSUSE-SU-2024:12767-1

OPENSUSE-SU-2024:14071-1

OPENSUSE-SU-2025:15114-1

RHSA-2023:6818

RLSA-2023:6818

SUSE-SU-2023:0275-1

SUSE-SU-2023:0612-1

SUSE-SU-2023_0275-1

Affected Products

Alt Linux

Active Support

Red Os

Rocky Linux

Ruby

Suse

CVE-2023-22796

Weakness Enumeration

Related Identifiers

Affected Products

References · 46