VDB

CVE-2026-33174

CVE-2026-33174 PUBLISHED CVSS 6.599999904632568 MEDIUM

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

EPSS 0.02% · 7.1th percentile

Risk Scores

CVSS v4.0
6.599999904632568
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
EPSS Score
0.02%
7.1th percentile

Affected Products

VendorProductVersions
railsactivestorage*, >= 8.0.0.beta1, < 8.0.4.1, < 7.2.3.1
RubyGemsactivestorage8.1.0.beta1, 0, *
rubyonrailsrails0, 8.0.0, 8.1.0

Timeline

  • Mar 23, 2026 CVE Published
  • Mar 24, 2026 EPSS Score
  • Mar 24, 2026 PoC Published
  • Mar 24, 2026 Security Advisory
  • Mar 25, 2026 EPSS Score
  • Mar 25, 2026 Coalition ESS Score
  • May 13, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score

References

…and 3 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›