addressable < 2.9.0 vulnerable to CVE-2026-35611 (blocked by fog-aliyun)

[johha]

Summary

CVE-2026-35611 is a HIGH severity (CVSS 7.5) ReDoS vulnerability in addressable affecting versions 2.3.0 to before 2.9.0. We cannot upgrade to the fixed version because fog-aliyun 0.4.0 pins addressable ~> 2.8.0.

Current Status

• addressable 2.8.10 contains an incomplete fix
• addressable 2.9.0 contains the full fix
• fog-aliyun 0.4.0 (last release Aug 2022) blocks 2.9.0
• Constraint fix is merged upstream (Update addressable requirement from ~> 2.8.0 to >= 2.8, < 2.10 fog/fog-aliyun#159) but no new gem released -> opened issue (Please release a new gem version to allow addressable 2.9.0 (CVE-2026-35611 fix) fog/fog-aliyun#160)

Possible Solutions

1. Wait for fog-aliyun to release a new gem version
2. Use fog-aliyun from git source temporarily
3. Remove fog-aliyun dependency in favor of storage-cli (ali support is available and production-proven)

References

• CVE-2026-35611: https://nvd.nist.gov/vuln/detail/CVE-2026-35611
• fog-aliyun fix merged: Update addressable requirement from ~> 2.8.0 to >= 2.8, < 2.10 fog/fog-aliyun#159