The PostgreSQL adapter in Active Record before 188.8.131.52, 184.108.40.206, 220.127.116.11 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Weakness: Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
This section is open source, for any additional information that enhances or clarifies the official advisory above.
Exploits for CVE-2021-22880 are not publicly available.
Ruby on Rails: Regular expression denial of service in ActiveRecord's PostgreSQL Money type
submitted by dee-see 3 months ago
publicly disclosed 18 days ago