Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-qxe4-dubt-1kfp
Summary
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
### Impact
When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

### Releases
The fixed releases are available at the normal locations.
Aliases
0
alias CVE-2026-33174
1
alias GHSA-r46p-8f7g-vvvg
Fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
1
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
2
url pkg:gem/activestorage@7.2.3.1
purl pkg:gem/activestorage@7.2.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ad6q-vtdf-syb6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@7.2.3.1
3
url pkg:gem/activestorage@8.0.4.1
purl pkg:gem/activestorage@8.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ad6q-vtdf-syb6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.0.4.1
4
url pkg:gem/activestorage@8.1.2.1
purl pkg:gem/activestorage@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.1.2.1
Affected_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-n8r7-wthv-fqaj
7
vulnerability VCID-qxe4-dubt-1kfp
8
vulnerability VCID-sarm-n22v-akcm
9
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3%2Bdfsg-3?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3%2Bdfsg-3?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3%252Bdfsg-3%3Fdistro=trixie
7
url pkg:deb/debian/rails@2:7.2.3%2Bdfsg-3
purl pkg:deb/debian/rails@2:7.2.3%2Bdfsg-3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3%252Bdfsg-3
8
url pkg:gem/activestorage@8.0.0.beta1
purl pkg:gem/activestorage@8.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a6z9-5n6k-2kak
1
vulnerability VCID-ad6q-vtdf-syb6
2
vulnerability VCID-hatd-vkun-13hj
3
vulnerability VCID-qxe4-dubt-1kfp
4
vulnerability VCID-wpmk-wgpm-cuee
5
vulnerability VCID-yzpx-3gam-y3bu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.0.0.beta1
9
url pkg:gem/activestorage@8.1.0.beta1
purl pkg:gem/activestorage@8.1.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a6z9-5n6k-2kak
1
vulnerability VCID-ad6q-vtdf-syb6
2
vulnerability VCID-hatd-vkun-13hj
3
vulnerability VCID-qxe4-dubt-1kfp
4
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.1.0.beta1
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33174.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33174.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33174
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.05666
published_at 2026-04-18T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05654
published_at 2026-04-16T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05699
published_at 2026-04-13T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05705
published_at 2026-04-12T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05712
published_at 2026-04-11T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05733
published_at 2026-04-09T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05706
published_at 2026-04-08T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05668
published_at 2026-04-07T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05678
published_at 2026-04-04T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05638
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33174
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33174
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33174
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
6
reference_url https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
7
reference_url https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33174
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33174
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450544
reference_id 2450544
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450544
15
reference_url https://github.com/advisories/GHSA-r46p-8f7g-vvvg
reference_id GHSA-r46p-8f7g-vvvg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r46p-8f7g-vvvg
Weaknesses
0
cwe_id 789
name Memory Allocation with Excessive Size Value
description The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
1
cwe_id 770
name Allocation of Resources Without Limits or Throttling
description The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Exploits
Severity_range_score4.0 - 7.5
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-qxe4-dubt-1kfp