File tree Expand file tree Collapse file tree 1 file changed +38
-0
lines changed
Expand file tree Collapse file tree 1 file changed +38
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-33658 (activestorage): Rails Active Storage has a possible DoS vulnerability
4+ in proxy mode via multi-range requests'
5+ comments : false
6+ categories :
7+ - activestorage
8+ - rails
9+ advisory :
10+ gem : activestorage
11+ framework : rails
12+ cve : 2026-33658
13+ ghsa : p9fm-f462-ggrg
14+ url : https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
15+ title : Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range
16+ requests
17+ date : 2026-03-25
18+ description : |
19+ ## Impact
20+
21+ Active Storage’s proxy controller does not limit the number of byte
22+ ranges in an HTTP Range header. A request with thousands of small
23+ ranges causes disproportionate CPU usage compared to a normal
24+ request for the same file, possibly resulting in a DoS vulnerability.
25+ patched_versions :
26+ - " ~> 7.2.3.1"
27+ - " ~> 8.0.4.1"
28+ - " >= 8.1.2.1"
29+ related :
30+ url :
31+ - https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906
32+ - https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
33+ - https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch
34+ - https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c.patch
35+ - https://github.com/rails/rails/commit/b8a1665824a43d71cd6406cf9adcae842ceb1c22.patch
36+ - https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
37+ - https://github.com/advisories/GHSA-p9fm-f462-ggrg
38+ ---
You can’t perform that action at this time.
0 commit comments