VulnerableCode Package Details - pkg:gem/carrierwave@2.2.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-hway-mr71-cqgj Aliases: CVE-2023-49090 GHSA-gxhx-g4fq-49hj	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.	2.2.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-phc1-hxmj-4qdw Aliases: CVE-2024-29034 GHSA-vfmv-jfc5-pjjw	CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.	2.2.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hway-mr71-cqgj
Aliases:
CVE-2023-49090
GHSA-gxhx-g4fq-49hj

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.

2.2.5
Affected by 1 other vulnerability.

3.0.5
Affected by 1 other vulnerability.

VCID-phc1-hxmj-4qdw
Aliases:
CVE-2024-29034
GHSA-vfmv-jfc5-pjjw

CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.

2.2.6
Affected by 1 other vulnerability.

3.0.7
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:14:55.051121+00:00	Ruby Importer	Affected by	VCID-phc1-hxmj-4qdw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml	38.6.0
2026-06-04T18:14:31.135994+00:00	Ruby Importer	Affected by	VCID-hway-mr71-cqgj	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2023-49090.yml	38.6.0

2026-06-04T18:14:55.051121+00:00

Ruby Importer

Affected by

VCID-phc1-hxmj-4qdw

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml

38.6.0

2026-06-04T18:14:31.135994+00:00

Ruby Importer

Affected by

VCID-hway-mr71-cqgj

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2023-49090.yml

38.6.0

Next non-vulnerable version	2.2.7
Latest non-vulnerable version	3.1.3
Risk	3.1