Search for packages
| purl | pkg:gem/activestorage@8.0.0.beta1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a6z9-5n6k-2kak
Aliases: CVE-2026-33173 GHSA-qcfx-2mfw-w4cg |
Rails Active Storage has possible content type bypass via metadata in direct uploads ### Impact Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags. ### Releases The fixed releases are available at the normal locations. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-ad6q-vtdf-syb6
Aliases: CVE-2026-33658 GHSA-p9fm-f462-ggrg |
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-hatd-vkun-13hj
Aliases: CVE-2026-33202 GHSA-73f9-jhhh-hr5m |
Rails Active Storage has possible glob injection in its DiskService ### Impact Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. ### Releases The fixed releases are available at the normal locations. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-qxe4-dubt-1kfp
Aliases: CVE-2026-33174 GHSA-r46p-8f7g-vvvg |
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests ### Impact When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. ### Releases The fixed releases are available at the normal locations. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-wpmk-wgpm-cuee
Aliases: CVE-2026-33195 GHSA-9xrj-h377-fr87 |
Rails Active Storage has possible Path Traversal in DiskService ### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-yzpx-3gam-y3bu
Aliases: CVE-2025-24293 GHSA-r4mg-4433-c7g3 |
Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this! |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||