Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

GHSA-p9fm-f462-ggrg · CVE-2026-33658

Published Mar 25, 2026 · Modified May 6, 2026

Description

Impact

Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by Hackerone researcher thwin_htet.

References

WEB https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33658
PACKAGE https://github.com/rails/rails
WEB https://github.com/rails/rails/releases/tag/v7.2.3.1
WEB https://github.com/rails/rails/releases/tag/v8.0.4.1
WEB https://github.com/rails/rails/releases/tag/v8.1.2.1
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes