VulnerableCode Package Details - pkg:gem/activestorage@8.1.2.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-a6z9-5n6k-2kak	Rails Active Storage has possible content type bypass via metadata in direct uploads ### Impact Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags. ### Releases The fixed releases are available at the normal locations.	CVE-2026-33173 GHSA-qcfx-2mfw-w4cg
VCID-ad6q-vtdf-syb6	Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations.	CVE-2026-33658 GHSA-p9fm-f462-ggrg
VCID-hatd-vkun-13hj	Rails Active Storage has possible glob injection in its DiskService ### Impact Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. ### Releases The fixed releases are available at the normal locations.	CVE-2026-33202 GHSA-73f9-jhhh-hr5m
VCID-qxe4-dubt-1kfp	Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests ### Impact When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. ### Releases The fixed releases are available at the normal locations.	CVE-2026-33174 GHSA-r46p-8f7g-vvvg
VCID-wpmk-wgpm-cuee	Rails Active Storage has possible Path Traversal in DiskService ### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations.	CVE-2026-33195 GHSA-9xrj-h377-fr87

Vulnerability

Summary

Aliases

VCID-a6z9-5n6k-2kak

Rails Active Storage has possible content type bypass via metadata in direct uploads ### Impact Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags. ### Releases The fixed releases are available at the normal locations.

CVE-2026-33173
GHSA-qcfx-2mfw-w4cg

VCID-ad6q-vtdf-syb6

Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations.

CVE-2026-33658
GHSA-p9fm-f462-ggrg

VCID-hatd-vkun-13hj

Rails Active Storage has possible glob injection in its DiskService ### Impact Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. ### Releases The fixed releases are available at the normal locations.

CVE-2026-33202
GHSA-73f9-jhhh-hr5m

VCID-qxe4-dubt-1kfp

Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests ### Impact When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. ### Releases The fixed releases are available at the normal locations.

CVE-2026-33174
GHSA-r46p-8f7g-vvvg

VCID-wpmk-wgpm-cuee

Rails Active Storage has possible Path Traversal in DiskService ### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations.

CVE-2026-33195
GHSA-9xrj-h377-fr87

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-11T21:40:00.085060+00:00	Ruby Importer	Fixing	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.3.0
2026-04-02T19:37:15.886242+00:00	Ruby Importer	Fixing	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.1.0
2026-04-02T17:01:24.493669+00:00	GHSA Importer	Fixing	VCID-ad6q-vtdf-syb6	https://github.com/advisories/GHSA-p9fm-f462-ggrg	38.1.0
2026-04-02T17:01:21.435625+00:00	GHSA Importer	Fixing	VCID-hatd-vkun-13hj	https://github.com/advisories/GHSA-73f9-jhhh-hr5m	38.1.0
2026-04-02T17:01:21.366796+00:00	GHSA Importer	Fixing	VCID-wpmk-wgpm-cuee	https://github.com/advisories/GHSA-9xrj-h377-fr87	38.1.0
2026-04-02T17:01:21.110461+00:00	GHSA Importer	Fixing	VCID-qxe4-dubt-1kfp	https://github.com/advisories/GHSA-r46p-8f7g-vvvg	38.1.0
2026-04-02T17:01:21.003067+00:00	GHSA Importer	Fixing	VCID-a6z9-5n6k-2kak	https://github.com/advisories/GHSA-qcfx-2mfw-w4cg	38.1.0
2026-04-01T15:55:09.437160+00:00	Ruby Importer	Fixing	VCID-ad6q-vtdf-syb6	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml	38.0.0
2026-04-01T12:54:14.127786+00:00	GithubOSV Importer	Fixing	VCID-wpmk-wgpm-cuee	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9xrj-h377-fr87/GHSA-9xrj-h377-fr87.json	38.0.0
2026-04-01T12:54:01.352942+00:00	GithubOSV Importer	Fixing	VCID-ad6q-vtdf-syb6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p9fm-f462-ggrg/GHSA-p9fm-f462-ggrg.json	38.0.0
2026-04-01T12:53:54.601426+00:00	GithubOSV Importer	Fixing	VCID-a6z9-5n6k-2kak	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qcfx-2mfw-w4cg/GHSA-qcfx-2mfw-w4cg.json	38.0.0
2026-04-01T12:53:27.858617+00:00	GithubOSV Importer	Fixing	VCID-hatd-vkun-13hj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-73f9-jhhh-hr5m/GHSA-73f9-jhhh-hr5m.json	38.0.0
2026-04-01T12:53:22.563113+00:00	GithubOSV Importer	Fixing	VCID-qxe4-dubt-1kfp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r46p-8f7g-vvvg/GHSA-r46p-8f7g-vvvg.json	38.0.0