Denial of Service Risk in Addressable Implementation of URI by Sporkmonger
CVE-2026-35611

7.5HIGH

Key Information:

Vendor: Sporkmonger
Status: Addressable
Vendor: CVE Published:; 7 April 2026

🔔 Create Sporkmonger Vulnerability Alert

What is CVE-2026-35611?

The Addressable implementation of URI, utilized in the Ruby programming language, contains a vulnerability that allows for catastrophic backtracking. This issue arises from specific URI templates utilizing the * (explode) modifier and multiple variables with + or # operators, leading to resource exhaustion when matched against maliciously crafted URIs. As a result, attackers can exploit this vulnerability to cause denial of service. The vulnerability has been resolved in version 2.9.0 of Addressable.

Affected Version(s)

addressable >= 2.3.0, < 2.9.0

References

https://github.com/sporkmonger/addressable/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35611 Data

JSON