Vulnerability Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyonrails | Rails | < 7.2.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5Patch
- https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92aPatch
- https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229bPatch
- https://github.com/rails/rails/releases/tag/v7.2.3.1Release Notes
- https://github.com/rails/rails/releases/tag/v8.0.4.1Release Notes
- https://github.com/rails/rails/releases/tag/v8.1.2.1Release Notes
- https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvgVendor Advisory
FAQ
What is CVE-2026-33174?
CVE-2026-33174 is a vulnerability with a CVSS score of 7.5 (HIGH). Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the...
How severe is CVE-2026-33174?
CVE-2026-33174 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33174?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails.