Rails Activestorage vulnerabilities
6 known vulnerabilities affecting rails/activestorage.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM3LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-33658LOWCVSS 2.3v>= 8.1.0, < 8.1.2.1v>= 8.0.0, < 8.0.4.1+1 more2026-03-26
CVE-2026-33658 [LOW] CWE-770 CVE-2026-33658: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file,
cvelistv5nvd
CVE-2026-33195HIGHCVSS 8.0v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33195 [HIGH] CWE-22 CVE-2026-33195: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow
cvelistv5nvd
CVE-2026-33174MEDIUMCVSS 6.6v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33174 [MEDIUM] CWE-789 CVE-2026-33174: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-
cvelistv5nvd
CVE-2026-33202MEDIUMCVSS 6.6v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33202 [MEDIUM] CWE-74 CVE-2026-33202: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharact
cvelistv5nvd
CVE-2026-33173MEDIUMCVSS 5.3v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33173 [MEDIUM] CWE-925 CVE-2026-33173: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can
cvelistv5nvd
CVE-2025-24293CRITICALCVSS 9.2≥ 5.2, < 5.*≥ 7.0, < 7.1.5.2+1 more2026-01-30
CVE-2025-24293 [CRITICAL] CWE-77 CVE-2025-24293: # Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to pre
# Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image
transformation methods and parameters by default.
The default allowed list contains three methods allow for the circumvention
of the safe defaults which enables potential command injection
vulnerabilities in ca
cvelistv5nvd