Rails Active Storage has possible content type bypass via metadata in direct uploads
Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe content_type, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activestorageRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
activestorageRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
activestorageRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.4-rails-8.0pkg:gem/activestorage
< 18.10.3-r1+ 6 more
- (no CPE)range: < 18.10.3-r1
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: >= 8.1.0.beta1, < 8.1.2.1
- Range: >= 8.1.0.beta1, < 8.1.2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-qcfx-2mfw-w4cgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33173ghsaADVISORY
- github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53ghsax_refsource_MISCWEB
- github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3eghsax_refsource_MISCWEB
- github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v7.2.3.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.0.4.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cgghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33173.ymlghsaWEB
News mentions
0No linked articles in our index yet.