{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33658", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.219Z", "datePublished": "2026-03-26T21:03:25.319Z", "dateUpdated": "2026-03-30T11:42:24.885Z"}, "containers": {"cna": {"title": "Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml", "tags": ["x_refsource_MISC"], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"}], "affected": [{"vendor": "rails", "product": "activestorage", "versions": [{"version": ">= 8.1.0, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:03:25.319Z"}, "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-p9fm-f462-ggrg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:42:16.532847Z", "id": "CVE-2026-33658", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:42:24.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33658", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:42:16.532847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:42:21.380Z"}}], "cna": {"title": "Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests", "source": {"advisory": "GHSA-p9fm-f462-ggrg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "rails", "product": "activestorage", "versions": [{"status": "affected", "version": ">= 8.1.0, < 8.1.2.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.4.1"}, {"status": "affected", "version": "< 7.2.3.1"}]}], "references": [{"url": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg", "name": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml", "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:03:25.319Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33658", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:42:24.885Z", "dateReserved": "2026-03-23T15:23:42.219Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T21:03:25.319Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9DC6CB9-DC6C-4CBB-9806-3936ADBC8F1B", "versionEndExcluding": "7.2.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA8791E1-8B96-43F6-A3EC-A7E60D700330", "versionEndExcluding": "8.0.4.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "978E0135-D14B-41DE-87E4-CF059A23E189", "versionEndExcluding": "8.1.2.1", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Active Storage permite a los usuarios adjuntar archivos en la nube y locales en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, el controlador proxy de Active Storage no limita el n\u00famero de rangos de bytes en un encabezado HTTP Range. Una solicitud con miles de rangos peque\u00f1os causa un uso desproporcionado de la CPU en comparaci\u00f3n con una solicitud normal para el mismo archivo, lo que posiblemente resulte en una vulnerabilidad de DoS. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "id": "CVE-2026-33658", "lastModified": "2026-04-30T19:02:21.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:29.387", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "rails: activestorage: Active Storage: Denial of Service via HTTP Range header processing", "id": "2451983", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451983"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Active Storage, a component of Rails applications that handles file attachments. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP request with an excessive number of small byte ranges in the HTTP Range header. This action causes the Active Storage proxy controller to consume a disproportionate amount of CPU resources, leading to a Denial of Service (DoS) condition. This could make the affected Rails application unresponsive or unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33658", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "rubygem-activestorage", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/rubygem-activestorage", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-26T21:03:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33658\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33658\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg\nhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0,8.1.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0.0,8.0.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "activestorage", "source": "cna", "vendor": "rails"}, "product": "activestorage", "vendor": "rails"}], "analysis": {"en": {"generated_at": "2026-03-26T22:52:54.134257+00:00", "value": {"mitigation_remediation": ["Upgrade Rails to at least version 8.1.2.1, 8.0.4.1, or 7.2.3.1 to eliminate the vulnerability."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue applies to the Rails Active Storage component in all Rails releases that precede version 8.1.2.1, 8.0.4.1, and 7.2.3.1. Any application running these older major or minor releases, whether using cloud or local file attachments, is vulnerable. Updating to the mentioned patched releases removes the problem.", "description_and_impact": "Active Storage\u2019s proxy controller parses HTTP Range headers without limiting the number of byte ranges. An attacker can send a request that contains thousands of very small ranges, forcing the server to process each one individually. Because each element in the range list consumes CPU cycles, the resulting request can disproportionately exhaust server resources, potentially slowing or suspending legitimate traffic. This vulnerability is classified as a resource exhaustion denial of service under CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 2.3 indicates a low severity rating, and no EPSS score is provided. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector, inferred from the description, is an unauthenticated HTTP request to the application\u2019s proxy endpoint, which is typically reachable from the public Internet. Even though exploitation is simple and requires no credentials, the low score and limited evidence of active exploitation suggest a relatively modest threat at present. However, high\u2011traffic services could still suffer performance degradation if the vector is abused."}}}}, "created": "2026-03-27T08:31:51.228793+00:00", "updated": "2026-03-27T09:23:18.350439+00:00", "vendors": ["rails", "rails$PRODUCT$activestorage"]}