CVE-2026-33174: Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
When serving files through Active Storage’s Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.
References
- github.com/advisories/GHSA-r46p-8f7g-vvvg
- github.com/rails/rails
- github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
- github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
- github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
- github.com/rails/rails/releases/tag/v7.2.3.1
- github.com/rails/rails/releases/tag/v8.0.4.1
- github.com/rails/rails/releases/tag/v8.1.2.1
- github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
- nvd.nist.gov/vuln/detail/CVE-2026-33174
Code Behaviors & Features
Detect and mitigate CVE-2026-33174 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →