मुफ्त स्कैन करें
LOWCVE-2026-33658CVSS 2.5

Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

अनुवाद हो रहा है…

प्लेटफ़ॉर्म

ruby

घटक

activestorage

में ठीक किया गया

8.1.1

8.0.1

7.2.4

8.1.2.1

AI Confidence: highNVDEPSS 0.1%समीक्षित: मई 2026
NVD पर देखें
सहेजें
आपकी भाषा में अनुवाद हो रहा है…

CVE-2026-33658 describes a Denial of Service (DoS) vulnerability within the Active Storage proxy controller in Ruby on Rails. An attacker can trigger this by crafting HTTP requests with a large number of byte range headers, leading to disproportionate CPU usage and potential service disruption. This vulnerability affects versions of Active Storage up to and including 8.1.2, and a fix is available in version 8.1.2.1.

Ruby

इस CVE को अपने प्रोजेक्ट में पहचानें

अपनी Gemfile.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।

Gemfile.lock अपलोड करेंसमर्थित प्रारूप: Gemfile.lock · Gemfile

प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…

The core of this vulnerability lies in the Active Storage proxy controller's lack of limitations on the number of byte ranges accepted in an HTTP Range header. Normally, requesting a file involves a single request. However, an attacker can send a request containing thousands of small byte range requests for the same file. The server must process each range individually, leading to a significant increase in CPU load compared to a standard request. This excessive CPU usage can degrade performance, potentially leading to service unavailability and a denial of service for legitimate users. The impact is primarily focused on resource exhaustion on the server hosting the Active Storage proxy.

शोषण संदर्भअनुवाद हो रहा है…

This vulnerability was responsibly reported by Hackerone researcher [thwin_htet]. As of the publication date (2026-03-25), there are no publicly known exploits or active campaigns targeting this vulnerability. The CVSS score of 2.5 indicates a low probability of exploitation. It is not currently listed on the CISA KEV catalog.

कौन जोखिम में हैअनुवाद हो रहा है…

Applications using Ruby on Rails Active Storage versions 8.1.2 and earlier are at risk. This includes web applications that heavily rely on file uploads and serving through Active Storage, particularly those with publicly accessible file storage. Shared hosting environments utilizing older Ruby on Rails versions are also particularly vulnerable.

पहचान के चरणअनुवाद हो रहा है…

• ruby / server:

ps aux | grep 'ActiveStorage::ProxyController' | grep -c 'byte range'

• ruby / server:

journalctl -u puma -g 'ActiveStorage::ProxyController' | grep 'byte range'

• generic web:

curl -I <active_storage_url> | grep 'Range:'

हमले की समयरेखा

  1. Disclosure

    disclosure

  2. Patch

    patch

खतरा खुफिया

एक्सप्लॉइट स्थिति

प्रूफ ऑफ कॉन्सेप्टअज्ञात
CISA KEVNO

EPSS

0.05% (16% शतमक)

CISA SSVC

शोषणnone
स्वचालनीयno
तकनीकी प्रभावpartial

प्रभावित सॉफ्टवेयर

घटकactivestorage
विक्रेताosv
प्रभावित श्रेणीमें ठीक किया गया
>= 8.1.0, < 8.1.2.1 – >= 8.1.0, < 8.1.2.18.1.1
>= 8.0.0, < 8.0.4.1 – >= 8.0.0, < 8.0.4.18.0.1
< 7.2.3.1 – < 7.2.3.17.2.4
8.1.08.1.2.1

कमजोरी वर्गीकरण (CWE)

CWE-770

समयरेखा

  1. आरक्षित
  2. प्रकाशित
  3. संशोधित
  4. EPSS अद्यतन
प्रकाशन के -1 दिन बाद पैच

शमन और वर्कअराउंडअनुवाद हो रहा है…

The primary mitigation for CVE-2026-33658 is to upgrade to Ruby on Rails version 8.1.2.1 or later, which includes a fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing rate limiting on the Active Storage proxy controller to restrict the number of byte range requests from a single IP address within a given timeframe. Web application firewalls (WAFs) can also be configured to detect and block requests with an unusually high number of byte range headers. Monitor CPU usage on the server hosting Active Storage to detect potential DoS attacks.

कैसे ठीक करेंअनुवाद हो रहा है…

Actualice Active Storage a la versión 8.1.2.1, 8.0.4.1 o 7.2.3.1, o superior, según corresponda a su versión de Rails. Esto corrige la vulnerabilidad de denegación de servicio causada por el manejo inadecuado de solicitudes de rango múltiple.

CVE सुरक्षा न्यूज़लेटर

भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।

अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…

What is CVE-2026-33658 — DoS in Ruby on Rails Active Storage?

CVE-2026-33658 is a Denial of Service vulnerability in Ruby on Rails Active Storage versions up to 8.1.2. Attackers can exploit it by sending requests with many byte ranges, causing high CPU usage.

Am I affected by CVE-2026-33658 in Ruby on Rails Active Storage?

Yes, if you are using Ruby on Rails Active Storage versions 8.1.2 or earlier, you are affected by this vulnerability.

How do I fix CVE-2026-33658 in Ruby on Rails Active Storage?

Upgrade to Ruby on Rails version 8.1.2.1 or later to resolve the vulnerability. Consider rate limiting or WAF rules as temporary mitigations.

Is CVE-2026-33658 being actively exploited?

As of now, there are no publicly known exploits or active campaigns targeting CVE-2026-33658.

Where can I find the official Ruby on Rails advisory for CVE-2026-33658?

Refer to the official Ruby on Rails security advisories for details: [https://github.com/rails/rails/security/advisories/CVE-2026-33658](https://github.com/rails/rails/security/advisories/CVE-2026-33658)

क्या आपका प्रोजेक्ट प्रभावित है?

अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।

मुफ्त स्कैन करेंCVE खोजें