CVE-2026-33174
HIGHRails Active Storage Proxy Mode - Range Request Denial of Service
Title source: manualDescription
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
Patch x_refsource_misc
https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
Patch x_refsource_misc
https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
Patch x_refsource_misc
https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
Release Notes x_refsource_misc
https://github.com/rails/rails/releases/tag/v7.2.3.1
Release Notes x_refsource_misc
https://github.com/rails/rails/releases/tag/v8.0.4.1
Release Notes x_refsource_misc
https://github.com/rails/rails/releases/tag/v8.1.2.1
Scores
CVSS v3
7.5
EPSS
0.0061
EPSS Percentile
44.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-789
Status
published
Products (7)
rails/activestorage
< 7.2.3.1
rails/activestorage
>= 8.0.0.beta1, < 8.0.4.1
rails/activestorage
>= 8.1.0.beta1, < 8.1.2.1
rubygems/activestorage
0 - 7.2.3.1RubyGems
rubygems/activestorage
8.0.0.beta1 - 8.0.4.1RubyGems
rubygems/activestorage
8.1.0.beta1 - 8.1.2.1RubyGems
rubyonrails/rails
< 7.2.3.1
Published
Mar 24, 2026
Tracked Since
Mar 24, 2026