CVE-2026-35611
Published: 07 April 2026
Summary
CVE-2026-35611 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Addressable Project Addressable. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-35611 affects the Addressable Ruby gem, an alternative implementation to Ruby's standard library URI handling, specifically in its URI template functionality. Versions from 2.3.0 up to but not including 2.9.0 contain two classes of vulnerabilities where generated regular expressions are susceptible to catastrophic backtracking. The first involves templates using the explode modifier (*) with any expansion operator, such as {foo*}, {+var*}, or {/var*}, which produce patterns with nested unbounded quantifiers exhibiting O(2^n) complexity. The second involves templates with multiple variables using the + or # operators, like {+v1,v2,v3}, resulting in O(n^k) complexity due to ambiguous backtracking across variables caused by the comma separator in the character class. Matching these patterns against maliciously crafted URIs leads to uncontrolled resource consumption and denial of service.
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as indicated by its CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Any application using the affected Addressable versions that processes untrusted URI templates—such as in web frameworks, APIs, or URL parsing libraries—could be targeted by sending a specially crafted URI that triggers the vulnerable regex during template expansion or validation, causing excessive CPU usage and potential service disruption.
The GitHub security advisory at https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4 confirms the issue and states that it is fixed in Addressable version 2.9.0, recommending immediate upgrades for affected users. This aligns with CWE-1333 (Inefficient Regular Expression Complexity).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19788
Vulnerability details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking.…
more
Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote ReDoS vulnerability in Addressable's URI template regex generation that causes uncontrolled CPU consumption and service disruption via a single crafted input, directly enabling T1499.004 Application or System Exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the flaw in Addressable gem versions 2.3.0 to <2.9.0 by upgrading to 2.9.0 directly eliminates the catastrophic backtracking vulnerability in URI template regex generation.
Validating untrusted URI templates and inputs prevents processing of maliciously crafted URIs that trigger the nested unbounded quantifiers or ambiguous backtracking in the vulnerable regex patterns.
Denial-of-service protections limit the effects of uncontrolled CPU resource consumption from catastrophic backtracking when matching malicious URIs against vulnerable Addressable URI templates.