How Denial of Service via crafted URI templates happens in Ruby addressable and how to fix it
Introduction
In a Fastlane production codebase, Orbis AppSec's Trivy scanner flagged a high-severity vulnerability in the Gemfile.lock: the addressable gem pinned at version 2.8.7 was vulnerable to CVE-2026-35611, a Denial of Service attack exploitable through crafted URI templates.
Fastlane explicitly declares addressable as a dependency in fastlane.gemspec with the comment # Support for URI templates, meaning this library is actively used for URI construction and parsing in production workflows. Since Fastlane processes URLs from various sources—including user configuration files, API responses, and CI/CD pipeline inputs—the vulnerable URI template expansion code sits directly in the path of potentially untrusted data.
This matters for any Ruby developer using addressable for URI handling: if your application accepts URI templates or URIs from external sources, versions prior to 2.9.0 could be exploited to hang your application.
The Vulnerability Explained
The addressable gem is one of Ruby's most popular libraries for URI parsing and template expansion, implementing RFC 6570 (URI Template). CVE-2026-35611 targets the template expansion logic—specifically, how addressable versions prior to 2.9.0 handle certain pathological URI template patterns.
What was vulnerable:
In the Gemfile.lock, the project pinned:
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
And in fastlane.gemspec:
spec.add_dependency('addressable', '>= 2.8', '< 3.0.0') # Support for URI templates
The vulnerability lies in how Addressable::Template processes expansion. When a crafted URI template with deeply nested or repeated expansion operators is passed to the library, the parsing algorithm exhibits exponential time complexity. An attacker who can influence a URI template string—whether through a configuration file, API parameter, or webhook payload—can craft input that causes the Ruby process to spin indefinitely.
Example attack scenario:
Consider a Fastlane action that constructs download URLs using Addressable::Template:
template = Addressable::Template.new(user_provided_template)
uri = template.expand(variables)
An attacker providing a malicious template string with carefully constructed nested expressions could cause this expand call to consume 100% CPU for minutes or hours, effectively freezing the CI/CD pipeline. In a server context, this could be triggered remotely via an API endpoint that accepts URI patterns.
The real-world impact for Fastlane specifically includes:
- CI/CD pipeline hangs: Build agents become unresponsive, blocking deployments
- Resource exhaustion: Shared build infrastructure becomes unavailable for all teams
- Cascading failures: Timeouts and retries amplify the resource consumption
The Fix
The fix upgrades addressable from 2.8.7 to 2.9.0, which contains the patch for CVE-2026-35611. Three files were modified to ensure consistency across the dependency declaration:
1. fastlane.gemspec — Raising the minimum version floor:
Before:
spec.add_dependency('addressable', '>= 2.8', '< 3.0.0') # Support for URI templates
After:
spec.add_dependency('addressable', '>= 2.9.0', '< 3.0.0') # Support for URI templates
This ensures that anyone installing the gem fresh will never resolve to a vulnerable version. The minimum bound moved from 2.8 to 2.9.0.
2. Gemfile.lock — Pinning the resolved version:
Before:
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
After:
addressable (2.9.0)
public_suffix (>= 2.0.2, < 8.0)
The lock file now resolves to the patched version. Note that addressable 2.9.0 also relaxed its public_suffix constraint from < 7.0 to < 8.0, indicating the upstream maintainers took the opportunity to modernize compatibility.
3. Gemfile.lock PATH section — Updating the internal dependency declaration:
Before:
addressable (>= 2.8, < 3.0.0)
After:
addressable (>= 2.9.0, < 3.0.0)
This keeps the PATH (local gem) dependency in sync with the gemspec change.
Why this works: Version 2.9.0 of addressable introduces bounds on URI template expansion complexity—likely adding recursion depth limits, input length validation, or replacing the vulnerable algorithm with one that has polynomial worst-case behavior. The fix is entirely within the library; no application code changes are needed.
Prevention & Best Practices
-
Pin minimum versions to patched releases: Don't use overly permissive version constraints like
>= 2.8. When a CVE is published, immediately raise the floor to the fixed version. -
Run dependency scanners in CI: Tools like Trivy, Bundler-audit, or Dependabot can catch known vulnerable gem versions before they reach production.
-
Validate URI template inputs: If your application accepts URI templates from untrusted sources, consider:
- Limiting template string length
- Restricting allowed template operators
- Setting timeouts on template expansion operations -
Monitor for ReDoS-like patterns in parsing libraries: URI template DoS is conceptually similar to Regular Expression Denial of Service (ReDoS)—both exploit algorithmic complexity. Libraries that parse structured input are common targets.
-
Keep lock files committed and reviewed: The
Gemfile.lockis your source of truth for what's actually deployed. Automated scanners like Trivy check this file specifically.
Key Takeaways
- The
addressablegem's URI template expansion (pre-2.9.0) had unbounded algorithmic complexity that could be triggered by crafted input, making any Ruby application usingAddressable::Templatewith untrusted data vulnerable to DoS. - Fastlane's explicit dependency on addressable for "URI templates" (as noted in the gemspec comment) confirms this code path is actively used in production, not just transitively included.
- Raising the minimum version floor in the gemspec (not just updating the lock file) prevents downstream consumers from accidentally resolving to vulnerable versions.
- The
public_suffixconstraint change from< 7.0to< 8.0in addressable 2.9.0 means the upgrade may also unblock other dependency resolution issues in your project. - Dependency-level DoS vulnerabilities are often assessed as "Likely exploitable" because they require no authentication or special access—just the ability to influence input that reaches the vulnerable parser.
How Orbis AppSec Detected This
- Source: URI template strings processed by
Addressable::Template, potentially influenced by user configuration, API responses, or CI/CD pipeline inputs flowing through Fastlane actions. - Sink: The
addressablegem's template expansion logic (version 2.8.7) as resolved inGemfile.lock, which processes these templates with unbounded computational complexity. - Missing control: No version floor enforcement preventing resolution to vulnerable addressable versions; no input complexity bounds on URI templates before expansion.
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Fix: Upgraded the
addressablegem minimum version from 2.8 to 2.9.0 across gemspec, Gemfile, and Gemfile.lock to eliminate the vulnerable template expansion code.
Orbis AppSec automatically detected this vulnerability and opened a pull request with the fix. Try Orbis AppSec on your repositories to find and fix issues like this automatically.
Conclusion
CVE-2026-35611 is a textbook example of how algorithmic complexity vulnerabilities in widely-used parsing libraries can create high-severity risks with minimal attacker effort. The addressable gem is a foundational dependency in the Ruby ecosystem—used by Fastlane, many HTTP clients, and countless web applications. A single crafted URI template could freeze a CI/CD pipeline or take down a web service.
The fix is straightforward: upgrade to addressable >= 2.9.0. But the broader lesson is about defense in depth—pin safe minimum versions, scan dependencies continuously, and never assume that parsing libraries handle pathological input gracefully. If your Ruby project uses addressable for URI template expansion with any form of external input, verify your version today.