[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests

jhawthorn · March 23, 2026, 9:25pm

Impact

When serving files through Active Storage’s Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. bytes=0-) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33174
GHSA-r46p-8f7g-vvvg

Versions affected

activestorage >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activestorage >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activestorage < 7.2.3.1 (patched in 7.2.3.1)

Topic		Replies	Views
[CVE-2026-33658] Possible DoS vulnerability in Active Storage proxy mode via multi-range requests Security Announcements announcement , security	0	297	March 23, 2026
Active Storage image download is truncated at 5000 kB rubyonrails-talk activestorage	1	820	June 25, 2022
Possible DoS Vulnerability with Range Header in Rack Security Announcements announcement , rack	0	4723	February 21, 2024
Possible Sensitive Session Information Leak in Active Storage Security Announcements announcement , patch	0	5508	February 21, 2024
[CVE-2026-33195] Possible path traversal in Active Storage DiskService Security Announcements announcement , security	0	209	March 23, 2026

[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests

Impact

Releases

Versions affected

Patches

More Resources

[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests

Impact

Releases

Versions affected

Patches

Related topics

More Resources