VulnerableCode Package Details - pkg:gem/carrierwave@3.0.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-phc1-hxmj-4qdw Aliases: CVE-2024-29034 GHSA-vfmv-jfc5-pjjw	CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.	3.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-phc1-hxmj-4qdw
Aliases:
CVE-2024-29034
GHSA-vfmv-jfc5-pjjw

CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.

3.0.7
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-hway-mr71-cqgj	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.	CVE-2023-49090 GHSA-gxhx-g4fq-49hj

Vulnerability

Summary

Aliases

VCID-hway-mr71-cqgj

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.

CVE-2023-49090
GHSA-gxhx-g4fq-49hj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:14:55.072251+00:00	Ruby Importer	Affected by	VCID-phc1-hxmj-4qdw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml	38.6.0
2026-06-04T17:19:39.492800+00:00	GithubOSV Importer	Fixing	VCID-hway-mr71-cqgj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-gxhx-g4fq-49hj/GHSA-gxhx-g4fq-49hj.json	38.6.0
2026-06-02T04:46:27.153173+00:00	GitLab Importer	Fixing	VCID-hway-mr71-cqgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/carrierwave/CVE-2023-49090.yml	38.6.0