216.73.217.22

CVE-2026-33658

· Published 26/03/2026 22:16 · Modified 26/03/2026 22:16

Labels: CVE-2026-33658 2026-03-26CVE-2026-33658CWE-770[email protected]

Essential information

Published
26/03/2026 22:16
Modified
26/03/2026 22:16
Author
Creator
CVSS
2.3 LOW (v3) 2.3 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ruby / rails cpe:2.3:a:ruby:rails:<8.1.2.1:*:*:*:*:*:*:*
ruby / rails cpe:2.3:a:ruby:rails:<8.0.4.1:*:*:*:*:*:*:*
ruby / rails cpe:2.3:a:ruby:rails:<7.2.3.1:*:*:*:*:*:*:*

References