RubyGems package
activestorage
pkg:gem/activestorage
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33658 | Med | 6.5 | >= 8.1.0, < 8.1.2.1 | 8.1.2.1 | Mar 26, 2026 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes d | |
| CVE-2026-33202 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains | ||
| CVE-2026-33195 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key | ||
| CVE-2026-33174 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sendi | ||
| CVE-2026-33173 | — | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 | Mar 23, 2026 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `anal | ||
| CVE-2025-24293 | Cri | — | >= 8.0, < 8.0.2.1 | 8.0.2.1 | Jan 30, 2026 | # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the s | |
| CVE-2024-26144 | — | >= 5.2.0, < 6.1.7.7 | 6.1.7.7 | Feb 27, 2024 | Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to | ||
| CVE-2022-21831 | — | >= 5.2.0, < 5.2.6.3 | 5.2.6.3 | May 26, 2022 | A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments. | ||
| CVE-2020-8162 | — | >= 5.0.0, < 5.2.4.3 | 5.2.4.3 | Jun 19, 2020 | A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | ||
| CVE-2018-16477 | — | >= 5.2.0, < 5.2.1.1 | 5.2.1.1 | Nov 30, 2018 | A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with othe |
- affected >= 8.1.0, < 8.1.2.1fixed 8.1.2.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes d
- CVE-2026-33202Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains
- CVE-2026-33195Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key
- CVE-2026-33174Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sendi
- CVE-2026-33173Mar 23, 2026affected >= 8.1.0.beta1, < 8.1.2.1fixed 8.1.2.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `anal
- affected >= 8.0, < 8.0.2.1fixed 8.0.2.1
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the s
- CVE-2024-26144Feb 27, 2024affected >= 5.2.0, < 6.1.7.7fixed 6.1.7.7
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to
- CVE-2022-21831May 26, 2022affected >= 5.2.0, < 5.2.6.3fixed 5.2.6.3
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
- CVE-2020-8162Jun 19, 2020affected >= 5.0.0, < 5.2.4.3fixed 5.2.4.3
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
- CVE-2018-16477Nov 30, 2018affected >= 5.2.0, < 5.2.1.1fixed 5.2.1.1
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with othe