[CVE-2026-33658] Possible DoS vulnerability in Active Storage proxy mode via multi-range requests

jhawthorn · March 23, 2026, 9:25pm

Impact

Active Storage’s proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33658
GHSA-p9fm-f462-ggrg

Versions affected

activestorage >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activestorage >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activestorage < 7.2.3.1 (patched in 7.2.3.1)

Topic		Replies	Views
[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests Security Announcements announcement , security	0	33	March 23, 2026
Possible DoS Vulnerability with Range Header in Rack Security Announcements announcement , rack	0	4722	February 21, 2024
Active Storage image download is truncated at 5000 kB rubyonrails-talk activestorage	1	816	June 25, 2022
Possible Sensitive Session Information Leak in Active Storage Security Announcements announcement , patch	0	5508	February 21, 2024
Active Storage in production: lessons learned and in-depth look at how it works rubyonrails-talk activestorage	34	26944	April 26, 2025

[CVE-2026-33658] Possible DoS vulnerability in Active Storage proxy mode via multi-range requests

Impact

Releases

Versions affected

Patches

More Resources

[CVE-2026-33658] Possible DoS vulnerability in Active Storage proxy mode via multi-range requests

Impact

Releases

Versions affected

Patches

Related topics

More Resources