CVE-2026-33174

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5	Patch
https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a	Patch
https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b	Patch
https://github.com/rails/rails/releases/tag/v7.2.3.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.0.4.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.1.2.1	Release Notes
https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::

History

24 Mar 2026, 17:55

Type	Values Removed	Values Added
References	~~() https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5 -~~	() https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5 - Patch
References	~~() https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a -~~	() https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a - Patch
References	~~() https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b -~~	() https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b - Patch
References	~~() https://github.com/rails/rails/releases/tag/v7.2.3.1 -~~	() https://github.com/rails/rails/releases/tag/v7.2.3.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.0.4.1 -~~	() https://github.com/rails/rails/releases/tag/v8.0.4.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.1.2.1 -~~	() https://github.com/rails/rails/releases/tag/v8.1.2.1 - Release Notes
References	~~() https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg -~~	() https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg - Vendor Advisory
Summary		(es) Active Storage permite a los usuarios adjuntar archivos en la nube y locales en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, al servir archivos a través del modo de entrega de proxy de Active Storage, el controlador de proxy carga todo el rango de bytes solicitado en la memoria antes de enviarlo. Una solicitud con un encabezado Range grande o ilimitado (por ejemplo, 'bytes=0-') podría hacer que el servidor asigne memoria proporcional al tamaño del archivo, posiblemente resultando en una vulnerabilidad de DoS a través del agotamiento de la memoria. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche.
First Time		Rubyonrails Rubyonrails rails
CPE		cpe:2.3:a:rubyonrails:rails::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

24 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 00:16

Updated : 2026-03-24 17:55

NVD link : CVE-2026-33174

Mitre link : CVE-2026-33174

CVE.ORG link : CVE-2026-33174

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-789

Memory Allocation with Excessive Size Value

7.5 /10