{"id":"CVE-2021-22880","details":"The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.","aliases":["GHSA-8hc4-xxm3-5ppp"],"modified":"2026-04-10T04:30:14.247896Z","published":"2021-02-11T18:15:17.333Z","related":["SUSE-SU-2021:3267-1","SUSE-SU-2021:3634-1","openSUSE-SU-2021:1468-1","openSUSE-SU-2021:3634-1","openSUSE-SU-2024:11326-1","openSUSE-SU-2024:11327-1","openSUSE-SU-2024:11826-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4929"},{"type":"FIX","url":"https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"},{"type":"FIX","url":"https://hackerone.com/reports/1023899"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"7847a19f476fb9bee287681586d872ea43785e53"},{"fixed":"dc7364b1f39cf2fa3c3af3ea0f239f9ae1b5a790"},{"introduced":"66cabeda2c46c582d19738e1318be8d59584cc5b"},{"fixed":"c5929d5eb55b749bc124b3ccc2d79323d015701f"},{"introduced":"914caca2d31bd753f47f9168f2a375921d9e91cc"},{"fixed":"130c128eae233bf71231c73b9c3c3b3f3ede918b"}],"database_specific":{"versions":[{"introduced":"4.2.0"},{"fixed":"5.2.4.5"},{"introduced":"6.0.0"},{"fixed":"6.0.3.5"},{"introduced":"6.1.0"},{"fixed":"6.1.2.1"}]}}],"versions":["v6.0.0","v6.0.3","v6.0.3.1","v6.0.3.2","v6.0.3.3","v6.0.3.4","v6.0.3.rc1","v6.1.0","v6.1.1","v6.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22880.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}