{"url":"http://public2.vulnerablecode.io/api/packages/119218?format=json","purl":"pkg:gem/carrierwave@3.1.3","type":"gem","namespace":"","name":"carrierwave","version":"3.1.3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51511?format=json","vulnerability_id":"VCID-cgb7-tv72-cbgv","summary":"CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters\n### Summary\n\nCarrierWave's content_type_denylist check fails to escape regex\nmetacharacters in string entries, causing the denylist to silently\nnot match the content types it is intended to block.\n\n**Note**: CarrierWave is aware `#content_type_denylist is deprecated\nfor the security reason`, but it still used by developers, and the\nproblem here isn't denylist allows any filetype, and thats not a\nvulnerability in carrierwave, its an implementation problem in\ndevelopers using CarrierWave, the problem is its denylist entries\nare interpolated directly into a regex without `Regexp.quote` or\nanchoring. The denylist is still useful when developers want to\nban specific content types but allow everything else.\n\n### Details\n\nIn `lib/carrierwave/uploader/content_type_denylist.rb:57`, string\ndenylist entries are interpolated directly into a regex without\n`Regexp.quote` or anchoring:\n\n```ruby\ndef denylisted_content_type?(denylist, content_type)\n  Array(denylist).any? { |item| content_type =~ /#{item}/ }\nend\n\nThe entry \"image/svg+xml\" becomes the regex /image\\/svg+xml/ where +\nis a quantifier meaning \"one or more g\", not a literal +. This\nregex never matches the real MIME type \"image/svg+xml\" which contains\na literal +. This is inconsistent with the allowlist implementation\nat lib/carrierwave/uploader/content_type_allowlist.rb:53-57, which\ncorrectly applies both Regexp.quote and a \\A anchor:\n\nrubydef allowlisted_content_type?(allowlist, content_type)\n  Array(allowlist).any? do |item|\n    item = Regexp.quote(item) if item.class != Regexp\n    content_type =~ /\\A#{item}/\n  end\nend\n```\n\nOther affected MIME types include `application/xhtml+xml` and any\ntype containing regex metacharacters.\n\nFix: Apply Regexp.quote for string entries and anchor with \\A,\nmatching the existing allowlist implementation:\n\n```\nrubydef denylisted_content_type?(denylist, content_type)\n  Array(denylist).any? do |item|\n    item = Regexp.quote(item) if item.class != Regexp\n    content_type =~ /\\A#{item}/\n  end\nend\n```\n### Impact\n\nAny application that uses content_type_denylist to block image/svg+xml\n— the most common use case, specifically to prevent stored XSS — is\nsilently unprotected.","references":[{"reference_url":"https://github.com/carrierwaveuploader/carrierwave","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/carrierwaveuploader/carrierwave"},{"reference_url":"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2026-44587.yml","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2026-44587.yml"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-44587","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-44587"},{"reference_url":"https://github.com/advisories/GHSA-7g26-2qgj-chfg","reference_id":"GHSA-7g26-2qgj-chfg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7g26-2qgj-chfg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/119219?format=json","purl":"pkg:gem/carrierwave@2.2.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/carrierwave@2.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/119218?format=json","purl":"pkg:gem/carrierwave@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/carrierwave@3.1.3"}],"aliases":["CVE-2026-44587","GHSA-7g26-2qgj-chfg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cgb7-tv72-cbgv"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/carrierwave@3.1.3"}