CVE-2021-32740: 
Ruby vulnerability analysis and mitigation

CVE-2021-32740 affects Addressable, an alternative implementation to the URI implementation in Ruby's standard library. The vulnerability was introduced in version 2.3.0 and affects versions through 2.7.0. A maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI (GitHub Advisory).

The vulnerability is a Regular Expression Denial of Service (ReDoS) issue in the URI template implementation of Addressable. The CVSS v3.1 base score is 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD, GitHub Advisory).

When exploited, this vulnerability can lead to denial of service through uncontrolled resource consumption. While in typical usage templates would not normally be read from untrusted user input, the vulnerability poses a risk when template objects are created from untrusted sources. Users of only the parsing capabilities in Addressable, but not the URI template capabilities, are unaffected (GitHub Advisory).

The vulnerability is patched in version 2.8.0. As a workaround, users should only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking. The fix includes addressing the ReDoS vulnerability in Addressable::Template#match (GitHub Commit, GitHub Advisory).