VulnerableCode Package Details - pkg:gem/activestorage@7.0.8.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-ad6q-vtdf-syb6 Aliases: CVE-2026-33658 GHSA-p9fm-f462-ggrg	Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations.	7.2.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.0.4.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.1.2.1 Affected by 0 other vulnerabilities.
VCID-yzpx-3gam-y3bu Aliases: CVE-2025-24293 GHSA-r4mg-4433-c7g3	Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!	7.1.5.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.2.2.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.2.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ad6q-vtdf-syb6
Aliases:
CVE-2026-33658
GHSA-p9fm-f462-ggrg

Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations.

7.2.3.1
Affected by 1 other vulnerability.

8.0.4.1
Affected by 1 other vulnerability.

8.1.2.1
Affected by 0 other vulnerabilities.

VCID-yzpx-3gam-y3bu
Aliases:
CVE-2025-24293
GHSA-r4mg-4433-c7g3

Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!

7.1.5.2
Affected by 2 other vulnerabilities.

7.2.2.2
Affected by 2 other vulnerabilities.

8.0.2.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T17:41:50.009469+00:00	Ruby Importer	Affected by	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.4.0
2026-04-16T17:41:30.013800+00:00	Ruby Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml	38.4.0
2026-04-16T03:27:41.561736+00:00	GHSA Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/advisories/GHSA-r4mg-4433-c7g3	38.4.0
2026-04-12T00:55:36.647039+00:00	GitLab Importer	Affected by	VCID-yzpx-3gam-y3bu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activestorage/CVE-2025-24293.yml	38.3.0
2026-04-11T21:39:58.946932+00:00	Ruby Importer	Affected by	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.3.0
2026-04-11T21:39:23.794622+00:00	Ruby Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml	38.3.0
2026-04-11T14:56:49.340427+00:00	GHSA Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/advisories/GHSA-r4mg-4433-c7g3	38.3.0
2026-04-03T01:03:45.774212+00:00	GitLab Importer	Affected by	VCID-yzpx-3gam-y3bu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activestorage/CVE-2025-24293.yml	38.1.0
2026-04-02T19:37:15.466702+00:00	Ruby Importer	Affected by	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.1.0
2026-04-02T19:36:55.922656+00:00	Ruby Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml	38.1.0
2026-04-02T15:36:18.337824+00:00	GHSA Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/advisories/GHSA-r4mg-4433-c7g3	38.1.0
2026-04-01T15:55:08.320279+00:00	Ruby Importer	Affected by	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.0.0
2026-04-01T15:54:30.342158+00:00	Ruby Importer	Affected by	VCID-yzpx-3gam-y3bu	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml	38.0.0