Mike Dalessio

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1 **Description** Active Storage in Rails applications allows users to attach cloud and local files. The `DiskService#path for` function does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g., `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but applications passing user input as keys would be affected. **Recommendations** Update to Rails version 8.1.2.1 or later. Update to Rails version 8.0.4.1 or later. Update to Rails version 7.2.3.1 or later.