AIKIDO-2026-10623
newrelic_rpm is vulnerable to Regular Expression Denial of Service (ReDoS)
37
Low Risk
This Affects:
newrelic_rpmTL;DR
Sinatra transaction naming in lib/new_relic/agent/instrumentation/sinatra/transaction_namer.rb used regex processing that could take polynomial time on very long route text, creating a Regular Expression Denial of Service risk in agent-side request processing. In affected versions this can increase CPU usage and degrade availability when route text handling hits pathological cases. The fix limits route text length before processing and replaces the previous capture-heavy pattern with safer boundary stripping behavior. The same release also hardens related stability paths by guarding nil HTTPX segments and making Transaction#finish idempotent under a mutex.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
newrelic_rpm is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 0.0.1 - 10.3.0.
How to fix this
Upgrade the newrelic_rpm library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant