Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Published: March 25, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-33658 (NVD)
- GHSA: GHSA-p9fm-f462-ggrg
- Vendor Advisory: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
GEM
FRAMEWORK
PATCHED VERSIONS
~> 7.2.3, >= 7.2.3.1
~> 8.0.4, >= 8.0.4.1
>= 8.1.2.1
DESCRIPTION
Impact
Active Storage’s proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.
RELATED
- https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906
- https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
- https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch
- https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c.patch
- https://github.com/rails/rails/commit/b8a1665824a43d71cd6406cf9adcae842ceb1c22.patch
- https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
- https://github.com/advisories/GHSA-p9fm-f462-ggrg