Plattform
ruby
Komponente
activestorage
Behoben in
8.1.1
8.0.1
7.2.4
8.1.2.1
CVE-2026-33195 is a Path Traversal vulnerability discovered in Ruby on Rails Active Storage. This flaw allows attackers to potentially read, write, or delete arbitrary files on the server by manipulating blob keys containing path traversal sequences like ../. The vulnerability impacts versions of Active Storage up to and including 8.1.2, and a fix is available in version 8.1.2.1.
The core of the vulnerability lies in the DiskService#path_for method within Active Storage, which fails to properly validate that the resolved filesystem path remains within the designated storage root directory. An attacker can exploit this by crafting a malicious blob key containing path traversal sequences. For example, a key like ../../../../etc/passwd could allow an attacker to read sensitive system files. The ability to write arbitrary files could lead to remote code execution if the attacker can overwrite executable files or inject malicious code into application assets. The blast radius extends to any application utilizing Active Storage with untrusted user input being used as blob keys.
This vulnerability was responsibly reported by Hackerone researcher [ksw9722](https://hackerone.com/ksw). As of the public disclosure date (2026-03-23), there is no indication of active exploitation in the wild. The EPSS score is likely to be medium, given the potential impact and the requirement for crafted input. No KEV listing exists at this time.
Applications built with Ruby on Rails that utilize Active Storage and accept user-provided data as blob keys are at significant risk. This includes e-commerce platforms allowing users to upload images, content management systems with user-generated content, and any application where user input is directly incorporated into Active Storage blob keys without proper sanitization.
• ruby / server:
find /path/to/rails/app/models -name '*.rb' -print0 | xargs -0 grep -i 'DiskService#path_for'• ruby / server:
journalctl -u puma -g 'ActiveStorage::DiskService#path_for' | grep '../'• generic web:
curl -I 'https://example.com/active_storage/blobs/some_malicious_key../sensitive_file' disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to Ruby on Rails Active Storage version 8.1.2.1 or later, which includes the necessary validation to prevent path traversal. If upgrading immediately is not feasible, consider implementing input validation on blob keys to sanitize against path traversal sequences before they are used. Web application firewalls (WAFs) configured to detect and block requests containing path traversal patterns can provide an additional layer of defense. Regularly review and audit Active Storage configurations to ensure that blob keys are handled securely and that user input is properly validated.
Actualice Active Storage a la versión 8.1.2.1, 8.0.4.1 o 7.2.3.1, o superior, según corresponda a su versión de Rails. Esto corrige la vulnerabilidad de path traversal en DiskService.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33195 is a Path Traversal vulnerability in Ruby on Rails Active Storage versions 8.1.2 and earlier, allowing attackers to potentially read, write, or delete arbitrary files.
You are affected if you are using Ruby on Rails Active Storage version 8.1.2 or earlier. Upgrade to 8.1.2.1 or later to mitigate the risk.
Upgrade to Ruby on Rails Active Storage version 8.1.2.1 or later. As a temporary workaround, validate blob keys to prevent path traversal sequences.
As of the public disclosure date, there is no evidence of active exploitation in the wild.
Refer to the official Ruby on Rails security advisories for detailed information and updates: [https://github.com/rails/rails/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/rails/rails/security/advisories/GHSA-xxxx-xxxx-xxxx)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.