VYPR
Medium severity6.5NVD Advisory· Published Mar 26, 2026· Updated Apr 30, 2026

CVE-2026-33658

CVE-2026-33658

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activestorageRubyGems
>= 8.1.0, < 8.1.2.18.1.2.1
activestorageRubyGems
>= 8.0.0, < 8.0.4.18.0.4.1
activestorageRubyGems
< 7.2.3.17.2.3.1

Affected products

7

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.