Cyber Resilience

CVE-2026-35611

High

Published: 07 April 2026

Published
07 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35611 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Addressable Project Addressable. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-35611 affects the Addressable Ruby gem, an alternative implementation to Ruby's standard library URI handling, specifically in its URI template functionality. Versions from 2.3.0 up to but not including 2.9.0 contain two classes of vulnerabilities where generated regular expressions are susceptible to catastrophic backtracking. The first involves templates using the explode modifier (*) with any expansion operator, such as {foo*}, {+var*}, or {/var*}, which produce patterns with nested unbounded quantifiers exhibiting O(2^n) complexity. The second involves templates with multiple variables using the + or # operators, like {+v1,v2,v3}, resulting in O(n^k) complexity due to ambiguous backtracking across variables caused by the comma separator in the character class. Matching these patterns against maliciously crafted URIs leads to uncontrolled resource consumption and denial of service.

Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as indicated by its CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Any application using the affected Addressable versions that processes untrusted URI templates—such as in web frameworks, APIs, or URL parsing libraries—could be targeted by sending a specially crafted URI that triggers the vulnerable regex during template expansion or validation, causing excessive CPU usage and potential service disruption.

The GitHub security advisory at https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4 confirms the issue and states that it is fixed in Addressable version 2.9.0, recommending immediate upgrades for affected users. This aligns with CWE-1333 (Inefficient Regular Expression Complexity).

EU & UK References

Vulnerability details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking.…

more

Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote ReDoS vulnerability in Addressable's URI template regex generation that causes uncontrolled CPU consumption and service disruption via a single crafted input, directly enabling T1499.004 Application or System Exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-46242Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2024-41766Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-27904Shared CWE-1333
CVE-2026-30925Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2026-1388Shared CWE-1333

Affected Assets

addressable project
addressable
2.3.0 — 2.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw in Addressable gem versions 2.3.0 to <2.9.0 by upgrading to 2.9.0 directly eliminates the catastrophic backtracking vulnerability in URI template regex generation.

prevent

Validating untrusted URI templates and inputs prevents processing of maliciously crafted URIs that trigger the nested unbounded quantifiers or ambiguous backtracking in the vulnerable regex patterns.

preventdetect

Denial-of-service protections limit the effects of uncontrolled CPU resource consumption from catastrophic backtracking when matching malicious URIs against vulnerable Addressable URI templates.

References