CVE-2026-35611: CWE-1333: Inefficient Regular Expression Complexity in sporkmonger addressable
CVE-2026-35611 is a high-severity vulnerability in the sporkmonger addressable Ruby library versions 2. 3. 0 through before 2. 9. 0. It involves inefficient regular expression complexity in the URI template implementation, which can lead to catastrophic backtracking and denial of service when processing maliciously crafted URIs. The issue arises from nested unbounded quantifiers and ambiguous backtracking in certain URI template patterns. This vulnerability has been fixed in version 2. 9. 0.
AI Analysis
Technical Summary
The vulnerability exists in the addressable library's URI template implementation where certain templates generate regular expressions prone to catastrophic backtracking. Specifically, templates using the explode modifier (*) with any expansion operator produce nested unbounded quantifiers with exponential (O(2^n)) complexity. Additionally, templates with multiple variables using + or # operators generate patterns with polynomial (O(n^k)) complexity due to ambiguous backtracking caused by the comma separator within the matched character class. This inefficient regex processing can cause excessive CPU consumption and denial of service when matched against crafted URIs. The issue affects versions from 2.3.0 up to but not including 2.9.0 and is resolved in 2.9.0.
Potential Impact
Exploitation of this vulnerability can cause denial of service through uncontrolled resource consumption (CPU exhaustion) due to catastrophic backtracking in regular expression matching. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication by supplying maliciously crafted URIs to affected versions of the addressable library.
Mitigation Recommendations
This vulnerability is fixed in addressable version 2.9.0. Users should upgrade to version 2.9.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated beyond the fix in 2.9.0; therefore, verify with the vendor advisory for the most current remediation guidance.
CVE-2026-35611: CWE-1333: Inefficient Regular Expression Complexity in sporkmonger addressable
Description
CVE-2026-35611 is a high-severity vulnerability in the sporkmonger addressable Ruby library versions 2. 3. 0 through before 2. 9. 0. It involves inefficient regular expression complexity in the URI template implementation, which can lead to catastrophic backtracking and denial of service when processing maliciously crafted URIs. The issue arises from nested unbounded quantifiers and ambiguous backtracking in certain URI template patterns. This vulnerability has been fixed in version 2. 9. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the addressable library's URI template implementation where certain templates generate regular expressions prone to catastrophic backtracking. Specifically, templates using the explode modifier (*) with any expansion operator produce nested unbounded quantifiers with exponential (O(2^n)) complexity. Additionally, templates with multiple variables using + or # operators generate patterns with polynomial (O(n^k)) complexity due to ambiguous backtracking caused by the comma separator within the matched character class. This inefficient regex processing can cause excessive CPU consumption and denial of service when matched against crafted URIs. The issue affects versions from 2.3.0 up to but not including 2.9.0 and is resolved in 2.9.0.
Potential Impact
Exploitation of this vulnerability can cause denial of service through uncontrolled resource consumption (CPU exhaustion) due to catastrophic backtracking in regular expression matching. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication by supplying maliciously crafted URIs to affected versions of the addressable library.
Mitigation Recommendations
This vulnerability is fixed in addressable version 2.9.0. Users should upgrade to version 2.9.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated beyond the fix in 2.9.0; therefore, verify with the vendor advisory for the most current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T21:25:12.163Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d534e5aaed68159a357dce
Added to database: 4/7/2026, 4:46:29 PM
Last enriched: 4/7/2026, 5:01:20 PM
Last updated: 4/7/2026, 6:26:07 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.