Gannon Mcgibbon

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1 **Description** Active Storage in Rails applications allows users to attach cloud and local files. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the proxy controller in Active Storage's proxy delivery mode loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header, such as `bytes=0-`, could cause the server to allocate memory proportional to the file size, potentially leading to a denial-of-service condition through memory exhaustion. **Recommendations** Update to Rails version 8.1.2.1 or later. Update to Rails version 8.0.4.1 or later. Update to Rails version 7.2.3.1 or later.