{"url":"http://public2.vulnerablecode.io/api/packages/140366?format=json","purl":"pkg:gem/activestorage@6.0.6.1","type":"gem","namespace":"","name":"activestorage","version":"6.0.6.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.1.2.1","latest_non_vulnerable_version":"8.1.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15665?format=json","vulnerability_id":"VCID-65tq-e5eb-eucj","summary":"Rails has possible Sensitive Session Information Leak in Active Storage\n# Possible Sensitive Session Information Leak in Active Storage\n\nThere is a possible sensitive session information leak in Active Storage.  By\ndefault, Active Storage sends a `Set-Cookie` header along with the user's\nsession cookie when serving blobs.  It also sets `Cache-Control` to public.\nCertain proxies may cache the Set-Cookie, leading to an information leak.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-26144.\n\nVersions Affected:  >= 5.2.0, < 7.1.0\nNot affected:       < 5.2.0, > 7.1.0\nFixed Versions:     7.0.8.1, 6.1.7.7\n\nImpact\n------\nA proxy which chooses to caches this request can cause users to share\nsessions. This may include a user receiving an attacker's session or vice\nversa.\n\nThis was patched in 7.1.0 but not previously identified as a security\nvulnerability.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUpgrade to Rails 7.1.X, or configure caching proxies not to cache the\nSet-Cookie headers.\n\nCredits\n-------\n\nThanks to [tyage](https://hackerone.com/tyage) for reporting this!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26144","reference_id":"","reference_type":"","scores":[{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86809","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86814","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86818","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86804","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86796","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86776","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86778","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86759","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26144"},{"reference_url":"https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433"},{"reference_url":"https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26144","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26144"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0013","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240510-0013"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119","reference_id":"1065119","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266063","reference_id":"2266063","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266063"},{"reference_url":"https://github.com/advisories/GHSA-8h22-8cf7-hq6g","reference_id":"GHSA-8h22-8cf7-hq6g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8h22-8cf7-hq6g"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0013/","reference_id":"ntap-20240510-0013","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240510-0013/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10806","reference_id":"RHSA-2024:10806","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10806"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54818?format=json","purl":"pkg:gem/activestorage@6.1.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"},{"vulnerability":"VCID-yzpx-3gam-y3bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@6.1.7.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54819?format=json","purl":"pkg:gem/activestorage@7.0.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"},{"vulnerability":"VCID-yzpx-3gam-y3bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@7.0.8.1"}],"aliases":["CVE-2024-26144","GHSA-8h22-8cf7-hq6g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-65tq-e5eb-eucj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/24796?format=json","vulnerability_id":"VCID-ad6q-vtdf-syb6","summary":"Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests\n### Impact\nActive Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.\n\n### Releases\nThe fixed releases are available at the normal locations.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33658.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33658.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33658","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15546","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15609","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15644","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15677","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15534","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15731","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1562","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15667","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33658"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33658","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33658"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.2.3.1","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/"}],"url":"https://github.com/rails/rails/releases/tag/v7.2.3.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v8.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/"}],"url":"https://github.com/rails/rails/releases/tag/v8.0.4.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v8.1.2.1","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/"}],"url":"https://github.com/rails/rails/releases/tag/v8.1.2.1"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33658","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33658"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035","reference_id":"1132035","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451983","reference_id":"2451983","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451983"},{"reference_url":"https://github.com/advisories/GHSA-p9fm-f462-ggrg","reference_id":"GHSA-p9fm-f462-ggrg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p9fm-f462-ggrg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66209?format=json","purl":"pkg:gem/activestorage@7.2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@7.2.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/66206?format=json","purl":"pkg:gem/activestorage@8.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.0.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/66202?format=json","purl":"pkg:gem/activestorage@8.1.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.1.2.1"}],"aliases":["CVE-2026-33658","GHSA-p9fm-f462-ggrg"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ad6q-vtdf-syb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/27443?format=json","vulnerability_id":"VCID-yzpx-3gam-y3bu","summary":"Active Storage allowed transformation methods that were potentially unsafe\nActive Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.\n\nThe default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.\n\nThis has been assigned the CVE identifier CVE-2025-24293.\n\n\nVersions Affected:  >= 5.2.0\nNot affected:       < 5.2.0\nFixed Versions:     7.1.5.2, 7.2.2.2, 8.0.2.1\n\nImpact\n------\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\n\nVulnerable code will look something similar to this:\n\n```\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\n```\n\nWhere the transformation method or its arguments are untrusted arbitrary input.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\n\nStrict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed.\n\nCredits\n-------\n\nThank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24293.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24293.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-24293","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42056","published_at":"2026-04-07T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42119","published_at":"2026-04-04T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42091","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43312","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43301","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43316","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43347","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43327","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-24293"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24293","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24293"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/advisories/GHSA-r4mg-4433-c7g3","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-02T14:45:32Z/"}],"url":"https://github.com/advisories/GHSA-r4mg-4433-c7g3"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354"},{"reference_url":"https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce"},{"reference_url":"https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24293","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24293"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435565","reference_id":"2435565","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435565"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69646?format=json","purl":"pkg:gem/activestorage@7.1.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"},{"vulnerability":"VCID-yzpx-3gam-y3bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@7.1.5.2"},{"url":"http://public2.vulnerablecode.io/api/packages/69645?format=json","purl":"pkg:gem/activestorage@7.2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"},{"vulnerability":"VCID-yzpx-3gam-y3bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@7.2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/69644?format=json","purl":"pkg:gem/activestorage@8.0.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ad6q-vtdf-syb6"},{"vulnerability":"VCID-yzpx-3gam-y3bu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@8.0.2.1"}],"aliases":["CVE-2025-24293","GHSA-r4mg-4433-c7g3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yzpx-3gam-y3bu"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activestorage@6.0.6.1"}