UNKNOWN RubyGems
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
GHSA-r46p-8f7g-vvvg · CVE-2026-33174
Published · Modified
Description
Impact
When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.
Releases
The fixed releases are available at the normal locations.
Credit
This issue was responsibly reported by Hackerone user pirikara
References
- WEB https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33174
- WEB https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
- WEB https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
- WEB https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
- PACKAGE https://github.com/rails/rails
- WEB https://github.com/rails/rails/releases/tag/v7.2.3.1
- WEB https://github.com/rails/rails/releases/tag/v8.0.4.1
- WEB https://github.com/rails/rails/releases/tag/v8.1.2.1
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33174.yml
Ready to move
Start Securing
Free, no credit card | First findings in minutes