CVE-2026-33658
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
14th
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
| CWE | CWE-770 |
| Vendor | rails |
| Product | activestorage |
| Published | Mar 26, 2026 |
| Last Updated | Mar 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for rails activestorage
Be the first to know when new unknown vulnerabilities affecting rails activestorage are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
rails / activestorage
>= 8.1.0, < 8.1.2.1 >= 8.0.0, < 8.0.4.1 < 7.2.3.1
References
github.com: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg github.com: https://github.com/rails/rails/releases/tag/v7.2.3.1 github.com: https://github.com/rails/rails/releases/tag/v8.0.4.1 github.com: https://github.com/rails/rails/releases/tag/v8.1.2.1 github.com: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml