Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-26
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Active Storage’s proxy controller parses HTTP Range headers without limiting the number of byte ranges. An attacker can send a request that contains thousands of very small ranges, forcing the server to process each one individually. Because each element in the range list consumes CPU cycles, the resulting request can disproportionately exhaust server resources, potentially slowing or suspending legitimate traffic. This vulnerability is classified as a resource exhaustion denial of service under CWE‑770.

Affected Systems

The issue applies to the Rails Active Storage component in all Rails releases that precede version 8.1.2.1, 8.0.4.1, and 7.2.3.1. Any application running these older major or minor releases, whether using cloud or local file attachments, is vulnerable. Updating to the mentioned patched releases removes the problem.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity rating, and no EPSS score is provided. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector, inferred from the description, is an unauthenticated HTTP request to the application’s proxy endpoint, which is typically reachable from the public Internet. Even though exploitation is simple and requires no credentials, the low score and limited evidence of active exploitation suggest a relatively modest threat at present. However, high‑traffic services could still suffer performance degradation if the vector is abused.

Generated by OpenCVE AI on March 26, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rails to at least version 8.1.2.1, 8.0.4.1, or 7.2.3.1 to eliminate the vulnerability.

Generated by OpenCVE AI on March 26, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9fm-f462-ggrg Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
History

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activestorage
Vendors & Products Rails
Rails activestorage

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rails Activestorage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:42:24.885Z

Reserved: 2026-03-23T15:23:42.219Z

Link: CVE-2026-33658

cve-icon Vulnrichment

Updated: 2026-03-30T11:42:21.380Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T22:16:29.387

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-33658

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T21:03:25Z

Links: CVE-2026-33658 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:18Z

Weaknesses