{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33658", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.219Z", "datePublished": "2026-03-26T21:03:25.319Z", "dateUpdated": "2026-03-30T11:42:24.885Z"}, "containers": {"cna": {"title": "Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml", "tags": ["x_refsource_MISC"], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"}], "affected": [{"vendor": "rails", "product": "activestorage", "versions": [{"version": ">= 8.1.0, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:03:25.319Z"}, "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-p9fm-f462-ggrg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:42:16.532847Z", "id": "CVE-2026-33658", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:42:24.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33658", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:42:16.532847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:42:21.380Z"}}], "cna": {"title": "Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests", "source": {"advisory": "GHSA-p9fm-f462-ggrg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "rails", "product": "activestorage", "versions": [{"status": "affected", "version": ">= 8.1.0, < 8.1.2.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.4.1"}, {"status": "affected", "version": "< 7.2.3.1"}]}], "references": [{"url": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg", "name": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml", "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:03:25.319Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33658", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:42:24.885Z", "dateReserved": "2026-03-23T15:23:42.219Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T21:03:25.319Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Active Storage permite a los usuarios adjuntar archivos en la nube y locales en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, el controlador proxy de Active Storage no limita el n\u00famero de rangos de bytes en un encabezado HTTP Range. Una solicitud con miles de rangos peque\u00f1os causa un uso desproporcionado de la CPU en comparaci\u00f3n con una solicitud normal para el mismo archivo, lo que posiblemente resulte en una vulnerabilidad de DoS. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "id": "CVE-2026-33658", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:29.387", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg"}, {"source": "security-advisories@github.com", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "rails: activestorage: Active Storage: Denial of Service via HTTP Range header processing", "id": "2451983", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451983"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Active Storage, a component of Rails applications that handles file attachments. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP request with an excessive number of small byte ranges in the HTTP Range header. This action causes the Active Storage proxy controller to consume a disproportionate amount of CPU resources, leading to a Denial of Service (DoS) condition. This could make the affected Rails application unresponsive or unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33658", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "rubygem-activestorage", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/rubygem-activestorage", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-26T21:03:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33658\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33658\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg\nhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"], "threat_severity": "Moderate"}