ADVISORIES

• CVE-2026-33658 (NVD)
• GHSA-p9fm-f462-ggrg
• Vendor Advisory

GEM

activestorage

FRAMEWORK

Ruby on Rails

PATCHED VERSIONS

• ~> 7.2.3.1
• ~> 8.0.4.1
• >= 8.1.2.1

DESCRIPTION

Impact

Active Storage’s proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

RELATED

• https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906
• https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
• https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch
• https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c.patch
• https://github.com/rails/rails/commit/b8a1665824a43d71cd6406cf9adcae842ceb1c22.patch
• https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
• https://github.com/advisories/GHSA-p9fm-f462-ggrg