Impact
CarrierWave is a Ruby file‑upload framework that relies on a content type denylist to block dangerous MIME types such as image/svg+xml. Prior to versions 2.2.7 and 3.1.3 the denylist does not escape characters that have special meaning in regular expressions. An entry like image/svg+xml is turned into /image\/svg+xml/, where the + is interpreted as a regex quantifier rather than a literal plus sign, so the expression never matches the real MIME type. Consequently the intended block is bypassed and a rogue SVG containing JavaScript can be stored in the application. If that file is later rendered inline, the script runs in users’ browsers, causing stored cross‑site scripting. This impact is a stored XSS vulnerability that can lead to session hijacking, credential theft, or arbitrary code execution in the context of the victim.
Affected Systems
The flaw exists in CarrierWave’s uploader content type denylist component. It affects any Ruby application that uses the CarrierWave gem version 2.2.x before 2.2.7 or 3.1.x before 3.1.3. Public code in lib/carrierwave/uploader/content_type_denylist.rb implements the problematic logic for these releases.
Risk and Exploitability
The CVSS score is 4.7, indicating moderate severity. The EPSS score is less than 1 %, meaning the probability of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need only upload a file through the gem’s file‑upload endpoint and supply a MIME type such as image/svg+xml that is intended to be blocked; the bypass allows the file to persist and be rendered. Because the exploit requires no elevated privileges or special network access, the vector is likely remote and relying on the application's upload interface. An affected deployment that serves stored SVG files inline is at risk of stored XSS, which can compromise confidentiality and integrity of affected users.
OpenCVE Enrichment
Github GHSA