CVE-2026-33658
MEDIUMRails Active Storage Proxy Mode - Multi-Range Denial of Service
Title source: manualDescription
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
X_Refsource_Misc x_refsource_misc
https://github.com/rails/rails/releases/tag/v7.2.3.1
X_Refsource_Misc x_refsource_misc
https://github.com/rails/rails/releases/tag/v8.0.4.1
X_Refsource_Misc x_refsource_misc
https://github.com/rails/rails/releases/tag/v8.1.2.1
X_Refsource_Misc x_refsource_misc
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml
Scores
CVSS v3
6.5
EPSS
0.0043
EPSS Percentile
34.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (7)
rails/activestorage
< 7.2.3.1
rails/activestorage
>= 8.0.0, < 8.0.4.1
rails/activestorage
>= 8.1.0, < 8.1.2.1
rubygems/activestorage
0 - 7.2.3.1RubyGems
rubygems/activestorage
8.0.0 - 8.0.4.1RubyGems
rubygems/activestorage
8.1.0 - 8.1.2.1RubyGems
rubyonrails/rails
< 7.2.3.1
Published
Mar 26, 2026
Tracked Since
Mar 27, 2026