平台
ruby
组件
activestorage
修复版本
8.1.1
8.0.1
7.2.4
8.1.2.1
CVE-2026-33658 describes a Denial of Service (DoS) vulnerability within the Active Storage proxy controller in Ruby on Rails. An attacker can trigger this by crafting HTTP requests with a large number of byte range headers, leading to disproportionate CPU usage and potential service disruption. This vulnerability affects versions of Active Storage up to and including 8.1.2, and a fix is available in version 8.1.2.1.
The core of this vulnerability lies in the Active Storage proxy controller's lack of limitations on the number of byte ranges accepted in an HTTP Range header. Normally, requesting a file involves a single request. However, an attacker can send a request containing thousands of small byte range requests for the same file. The server must process each range individually, leading to a significant increase in CPU load compared to a standard request. This excessive CPU usage can degrade performance, potentially leading to service unavailability and a denial of service for legitimate users. The impact is primarily focused on resource exhaustion on the server hosting the Active Storage proxy.
This vulnerability was responsibly reported by Hackerone researcher [thwin_htet]. As of the publication date (2026-03-25), there are no publicly known exploits or active campaigns targeting this vulnerability. The CVSS score of 2.5 indicates a low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Applications using Ruby on Rails Active Storage versions 8.1.2 and earlier are at risk. This includes web applications that heavily rely on file uploads and serving through Active Storage, particularly those with publicly accessible file storage. Shared hosting environments utilizing older Ruby on Rails versions are also particularly vulnerable.
• ruby / server:
ps aux | grep 'ActiveStorage::ProxyController' | grep -c 'byte range'• ruby / server:
journalctl -u puma -g 'ActiveStorage::ProxyController' | grep 'byte range'• generic web:
curl -I <active_storage_url> | grep 'Range:'disclosure
patch
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-33658 is to upgrade to Ruby on Rails version 8.1.2.1 or later, which includes a fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing rate limiting on the Active Storage proxy controller to restrict the number of byte range requests from a single IP address within a given timeframe. Web application firewalls (WAFs) can also be configured to detect and block requests with an unusually high number of byte range headers. Monitor CPU usage on the server hosting Active Storage to detect potential DoS attacks.
Actualice Active Storage a la versión 8.1.2.1, 8.0.4.1 o 7.2.3.1, o superior, según corresponda a su versión de Rails. Esto corrige la vulnerabilidad de denegación de servicio causada por el manejo inadecuado de solicitudes de rango múltiple.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33658 is a Denial of Service vulnerability in Ruby on Rails Active Storage versions up to 8.1.2. Attackers can exploit it by sending requests with many byte ranges, causing high CPU usage.
Yes, if you are using Ruby on Rails Active Storage versions 8.1.2 or earlier, you are affected by this vulnerability.
Upgrade to Ruby on Rails version 8.1.2.1 or later to resolve the vulnerability. Consider rate limiting or WAF rules as temporary mitigations.
As of now, there are no publicly known exploits or active campaigns targeting CVE-2026-33658.
Refer to the official Ruby on Rails security advisories for details: [https://github.com/rails/rails/security/advisories/CVE-2026-33658](https://github.com/rails/rails/security/advisories/CVE-2026-33658)
上传你的 Gemfile.lock 文件,立即知道是否受影响。