PT-2026-28168 · Rails+1 · Rails+1
Thwin_Htet
·
Published
2026-03-25
·
Updated
2026-05-08
·
CVE-2026-33658
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Rails versions prior to 8.1.2.1
Rails versions prior to 8.0.4.1
Rails versions prior to 7.2.3.1
Description
Active Storage, used for attaching cloud and local files in Rails applications, is susceptible to a denial-of-service condition. The proxy controller within Active Storage does not restrict the number of byte ranges specified in an HTTP Range header. An attacker can exploit this by sending a request containing a large number of small ranges, leading to excessive CPU usage and potentially causing a denial of service.
Recommendations
Update to Rails version 8.1.2.1 or later.
Update to Rails version 8.0.4.1 or later.
Update to Rails version 7.2.3.1 or later.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rails
Red Os