CVE-2026-33174

March 24, 2026, 5:55 p.m.

6.6
Medium

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Product(s) Impacted

Vendor Product Versions
Rubyonrails
  • Rails
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-789
Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a rubyonrails rails / / / / / / / /
a rubyonrails rails / / / / / / / /
a rubyonrails rails / / / / / / / /

References

https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
https://github.com/rails/rails/releases/tag/v7.2.3.1
https://github.com/rails/rails/releases/tag/v8.0.4.1
https://github.com/rails/rails/releases/tag/v8.1.2.1
https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg

Tags

[email protected]
CWE-789
2026-03-24
CVE-2026-33174

CVSS Score

6.6 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: UNREPORTED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: March 24, 2026, 12:16 a.m.
Last Modified: March 24, 2026, 5:55 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.