Unrestricted Resource Consumption in Ruby on Rails [CVE-2026-33176]

Unrestricted Resource Consumption vulnerabilities in Ruby on Rails can occur when user-supplied strings are fed into Active Support number helpers that ultimately rely on BigDecimal for formatting. For CVE-2026-33176, strings containing scientific notation (for example '1e10000') can cause BigDecimal to expand into astronomically large numbers. When these values are formatted or string-converted, the application may allocate enormous amounts of memory and CPU time, potentially leading to a denial of service. This vulnerability is categorized under CWE-400 (Resource Exhaustion) and CWE-770 (Resource Exhaustion via Resource) due to uncontrolled memory and processing growth stemming from input-driven numeric formatting. The risk is most acute in endpoints that render numeric values with helpers like number_to_currency, number_with_precision, or humanize-style formatting using user-supplied data. The issue arises when Rails versions prior to the patched releases perform unsafe string-to-number conversions that trigger catastrophic BigDecimal expansion. Exploitation typically starts with an attacker submitting a request that includes a numeric string with exponential notation (e.g., amount='1e10000') in parameters used by a view or API response that formats the value via Rails number helpers. Affected applications without adequate input validation or dependency updates will construct a BigDecimal from that string and then format or manipulate it, causing extreme memory usage and CPU load on the server. In practice, this can degrade service availability, impact other users, and increase operational costs for cloud-based deployments. The patch fixes these issues by hardening the numeric parsing/formatting path in Active Support, preventing unsafe expansion of extremely large values derived from strings with scientific notation. The CVE is mitigated by upgrading to the patched releases: Rails 8.1.2.1, 8.0.4.1, or 7.2.3.1 and later. If upgrading is not immediately possible, implement defensive input validation at the boundaries where numeric formatting occurs, and centralize numeric formatting behind a safe wrapper that rejects or sanitizes scientific notation before passing values to number helpers. Finally, verify remediation with tests that attempt to format or render very large numbers supplied by users (e.g., '1e10000') and ensure they are rejected or capped, rather than expanded. Include both unit tests for the wrapper and integration tests within endpoints that render numeric fields.