VulnerableCode Package Details - pkg:gem/carrierwave@3.0.2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:gem/carrierwave@3.0.2

Essentials
History (2)

purl	pkg:gem/carrierwave@3.0.2

Next non-vulnerable version	3.1.3
Latest non-vulnerable version	3.1.3
Risk	3.1

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-hway-mr71-cqgj Aliases: CVE-2023-49090 GHSA-gxhx-g4fq-49hj	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.	3.0.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-phc1-hxmj-4qdw Aliases: CVE-2024-29034 GHSA-vfmv-jfc5-pjjw	CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.	3.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:14:55.066818+00:00	Ruby Importer	Affected by	VCID-phc1-hxmj-4qdw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml	38.6.0
2026-06-04T18:14:31.145114+00:00	Ruby Importer	Affected by	VCID-hway-mr71-cqgj	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2023-49090.yml	38.6.0