CVE-2026-35611: Addressable has a Regular Expression Denial of Service in Addressable templates
Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:
- Templates using the
*(explode) modifier with any expansion operator (e.g.,{foo*},{+var*},{#var*},{/var*},{.var*},{;var*},{?var*},{&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. - Templates using multiple variables with the
+or#operators (e.g.,{+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables.
When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0.
Users of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-35611 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →