Skip to content

addressable < 2.9.0 vulnerable to CVE-2026-35611 (blocked by fog-aliyun) #5018

Description

@johha

Summary

CVE-2026-35611 is a HIGH severity (CVSS 7.5) ReDoS vulnerability in addressable affecting versions 2.3.0 to before 2.9.0. We cannot upgrade to the fixed version because fog-aliyun 0.4.0 pins addressable ~> 2.8.0.

Current Status

Possible Solutions

  1. Wait for fog-aliyun to release a new gem version
  2. Use fog-aliyun from git source temporarily
  3. Remove fog-aliyun dependency in favor of storage-cli (ali support is available and production-proven)

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions