Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through memory exhaustion
Action: Immediate Patch
AI Analysis

Impact

Active Storage, the file attachment framework in Rails, contains a flaw where the proxy delivery mode reads the entire requested byte range into memory before transmitting it to the client. If a requester sends a very large or unbounded Range header, such as `bytes=0-`, the server allocates memory proportional to the file size, which can exhaust its resources and render the application unresponsive. This constitutes a classic denial‑of‑service vulnerability and is catalogued as CWE‑770 (Resource Exhaustion by Unbounded Increment) and CWE‑789 (Out‑of‑Bounds Write).

Affected Systems

The flaw affects Rails applications that use Active Storage in proxy delivery mode on versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. All Rails releases before those patches are vulnerable; the issue has been fixed in the mentioned release versions and subsequent Rails releases.

Risk and Exploitability

The CVSS base score is 6.6, indicating a medium severity, and the EPSS score is less than 1 percent, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can trigger the issue by crafting HTTP requests with large or open Range headers to the application’s Active Storage proxy endpoint. Based on the description, the intended attack vector is from external parties capable of sending arbitrary HTTP requests to the application. Successful exploitation would consume server memory, potentially causing the process to be killed or the application to become significantly slower, leading to service interruptions for legitimate users.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rails to version 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, which contain the patch for this issue.
  • If upgrading is not immediately feasible, disable Active Storage proxy delivery mode for sensitive files or configure the application to reject or limit large Range headers.
  • Implement application‑level monitoring of memory usage and enforce limits on the size of requests handled by the proxy endpoint.
  • Verify that no other components expose a similar Range header handling issue and apply vendor patches promptly.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r46p-8f7g-vvvg Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activestorage
Vendors & Products Rails
Rails activestorage

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Weaknesses CWE-789
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rails Activestorage
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T13:40:32.031Z

Reserved: 2026-03-17T22:16:36.719Z

Link: CVE-2026-33174

cve-icon Vulnrichment

Updated: 2026-03-24T13:40:27.286Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:28.630

Modified: 2026-03-24T17:55:58.230

Link: CVE-2026-33174

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:24:55Z

Links: CVE-2026-33174 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:05Z

Weaknesses