PT-2026-28168 · Rails+1 · Rails+1
Thwin_Htet
·
Publicado
2026-03-25
·
Atualizado
2026-05-08
·
CVE-2026-33658
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Rails versions prior to 8.1.2.1
Rails versions prior to 8.0.4.1
Rails versions prior to 7.2.3.1
Description
Active Storage, used for attaching cloud and local files in Rails applications, is susceptible to a denial-of-service condition. The proxy controller within Active Storage does not restrict the number of byte ranges specified in an HTTP Range header. An attacker can exploit this by sending a request containing a large number of small ranges, leading to excessive CPU usage and potentially causing a denial of service.
Recommendations
Update to Rails version 8.1.2.1 or later.
Update to Rails version 8.0.4.1 or later.
Update to Rails version 7.2.3.1 or later.
Exploit
Correção
DoS
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Rails
Red Os