Description
CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3.
Published: 2026-06-16
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CarrierWave is a Ruby file‑upload framework that relies on a content type denylist to block dangerous MIME types such as image/svg+xml. Prior to versions 2.2.7 and 3.1.3 the denylist does not escape characters that have special meaning in regular expressions. An entry like image/svg+xml is turned into /image\/svg+xml/, where the + is interpreted as a regex quantifier rather than a literal plus sign, so the expression never matches the real MIME type. Consequently the intended block is bypassed and a rogue SVG containing JavaScript can be stored in the application. If that file is later rendered inline, the script runs in users’ browsers, causing stored cross‑site scripting. This impact is a stored XSS vulnerability that can lead to session hijacking, credential theft, or arbitrary code execution in the context of the victim.

Affected Systems

The flaw exists in CarrierWave’s uploader content type denylist component. It affects any Ruby application that uses the CarrierWave gem version 2.2.x before 2.2.7 or 3.1.x before 3.1.3. Public code in lib/carrierwave/uploader/content_type_denylist.rb implements the problematic logic for these releases.

Risk and Exploitability

The CVSS score is 4.7, indicating moderate severity. The EPSS score is less than 1 %, meaning the probability of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need only upload a file through the gem’s file‑upload endpoint and supply a MIME type such as image/svg+xml that is intended to be blocked; the bypass allows the file to persist and be rendered. Because the exploit requires no elevated privileges or special network access, the vector is likely remote and relying on the application's upload interface. An affected deployment that serves stored SVG files inline is at risk of stored XSS, which can compromise confidentiality and integrity of affected users.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CarrierWave to version 2.2.7 or newer 3.1.3 or later to receive the fixed content type denylist logic.
  • If an upgrade is not feasible, modify denylist entries to properly escape regex metacharacters, for example by using Regexp.quote and anchoring the pattern with \A and \z, or by removing problematic MIME types from the denylist entirely.
  • Restrict the inline serving of SVG and other risky MIME types from user uploads; serve such files from a dedicated, non‑executable location or strip embedded scripts before rendering.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7g26-2qgj-chfg CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Carrierwave Project
Carrierwave Project carrierwave
Vendors & Products Carrierwave Project
Carrierwave Project carrierwave

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3.
Title CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Weaknesses CWE-184
CWE-625
CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}


Subscriptions

Carrierwave Project Carrierwave
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T18:12:37.182Z

Reserved: 2026-05-06T21:49:12.425Z

Link: CVE-2026-44587

cve-icon Vulnrichment

Updated: 2026-06-17T18:07:02.951Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs

  • CWE-625

    Permissive Regular Expression

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')