CVE-2026-33174
Last modified
CVE-2026-33174 is a medium-severity vulnerability rated 6.6/10 on the CVSS scale. Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. EPSS estimates a 0.61% chance of exploitation in the next 30 days.
Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Rubyonrails | Rails | < 7.2.3.1 |
| Rubyonrails | Rails | >= 8.0.0, < 8.0.4.1 |
| Rubyonrails | Rails | >= 8.1.0, < 8.1.2.1 |
References
- https://github.com/rails/rails/releases/tag/v7.2.3.1Release Notes
- https://github.com/rails/rails/releases/tag/v8.0.4.1Release Notes
- https://github.com/rails/rails/releases/tag/v8.1.2.1Release Notes
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33174?
How severe is CVE-2026-33174?
How do I fix CVE-2026-33174?
Are you affected by CVE-2026-33174?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST