CVE-2020-8162
Description
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in Rails ActiveStorage's S3 adapter allows attackers to bypass file size limits by modifying the Content-Length of direct upload URLs.
Vulnerability
Overview
CVE-2020-8162 is a client-side enforcement of server-side security vulnerability in Ruby on Rails ActiveStorage's S3 adapter, affecting versions before 5.2.4.2 and 6.0.3.1 [2][4]. The root cause is that the server does not independently verify the Content-Length value of a direct file upload URL, relying instead on client-provided data [1]. This allows an attacker to craft a direct upload request with a manipulated Content-Length, effectively bypassing server-enforced file size limits.
Attack
Vector
The vulnerability is exploitable by any end user who can access the ActiveStorage direct upload functionality for an S3 adapter [4]. No special network position or authentication is required beyond normal application access [1]. By intercepting or modifying the direct upload URL's Content-Length parameter, an attacker can trick the server into accepting files larger than the intended limit. The attacker does not need a new signature from the server to alter this value [4].
Impact
Successful exploitation allows an attacker to upload files of arbitrary size, bypassing upload size controls enforced by the Rails application [2][4]. This could lead to storage exhaustion, denial of service, or the uploading of malicious payloads that exceed expected constraints. The impact is considered low severity by the Rails security team, but it can still enable further attacks if combined with other application weaknesses [4].
Mitigation
Patches are available in Rails versions 5.2.4.3 and 6.0.3.1, which include server-side validation of the Content-Length for S3 direct uploads [4]. Applications that do not use ActiveStorage's direct upload feature with the S3 adapter are not affected [4]. No workaround is recommended beyond upgrading, as this is a low-severity issue [4]. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activestorageRubyGems | >= 5.0.0, < 5.2.4.3 | 5.2.4.3 |
activestorageRubyGems | >= 6.0.0, < 6.0.3.1 | 6.0.3.1 |
Affected products
3- rails/ActiveStorage's S3 adapterdescription
- ghsa-coords2 versions
>= 5.0.0, < 5.2.4.3+ 1 more
- (no CPE)range: >= 5.0.0, < 5.2.4.3
- (no CPE)range: < 6.0.4.4-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-m42x-37p3-fv5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8162ghsaADVISORY
- www.debian.org/security/2020/dsa-4766ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/aws/aws-sdk-ruby/issues/2098ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/g/rubyonrails-security/c/PjU3946mreQghsax_refsource_MISCWEB
- hackerone.com/reports/789579ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.