PT-2026-30910 · Unknown · Addressable
Sporkmonger
·
Published
2026-04-07
·
Updated
2026-04-17
·
CVE-2026-35611
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Addressable versions 2.3.0 through 2.8.9
Description
Addressable, an alternative URI implementation for Ruby, contains a flaw in its URI template implementation. Templates utilizing the '' (explode) modifier with any expansion operator (e.g., {foo}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate regular expressions susceptible to catastrophic backtracking when matched against crafted URIs. Similarly, templates with multiple variables using the '+' or '#' operators (e.g., {+v1,v2,v3}) can also lead to catastrophic backtracking due to the comma separator within the matched character class. This can result in uncontrolled resource consumption and denial of service.
Recommendations
Update to version 2.9.0 or later.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Addressable