CVE-2026-33658Allocation of Resources Without Limits or Throttling in Rails Activestorage

CWE-770Allocation of Resources Without Limits or Throttling8 documents7 sources
Severity
2.3LOWNVD
EPSS
0.1%
top 84.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rails Activestorage
Timeline
PublishedMar 26

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5rails/activestorage< 7.2.3.1+2
RubyGemsrails/activestorage8.1.08.1.2.1+2

🔴Vulnerability Details

4
CVEList
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests2026-03-26
OSV
CVE-2026-33658: Active Storage allows users to attach cloud and local files in Rails applications2026-03-26
GHSA
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests2026-03-25
OSV
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests2026-03-25

📋Vendor Advisories

2
Red Hat
rails: activestorage: Active Storage: Denial of Service via HTTP Range header processing2026-03-26
Debian
CVE-2026-33658: rails - Active Storage allows users to attach cloud and local files in Rails application...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-33658 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33658 — Rails Activestorage vulnerability | cvebase