GHSA/SYNC: 1 brand new rails-related advisory

jasnow · postmodern · commit dfabfc18fb5e · 2026-03-26T09:48:49.000-07:00
diff --git a/gems/activestorage/CVE-2026-33658.yml b/gems/activestorage/CVE-2026-33658.yml
@@ -0,0 +1,29 @@
+---
+gem: activestorage
+framework: rails
+cve: 2026-33658
+ghsa: p9fm-f462-ggrg
+url: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
+title: Rails Active Storage has a possible DoS vulnerability in
+  proxy mode via multi-range requests
+date: 2026-03-25
+description: |
+  ## Impact
+
+  Active Storage’s proxy controller does not limit the number of byte
+  ranges in an HTTP Range header. A request with thousands of small
+  ranges causes disproportionate CPU usage compared to a normal
+  request for the same file, possibly resulting in a DoS vulnerability.
+patched_versions:
+  - "~> 7.2.3.1"
+  - "~> 8.0.4.1"
+  - ">= 8.1.2.1"
+related:
+  url:
+    - https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906
+    - https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
+    - https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch
+    - https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c.patch
+    - https://github.com/rails/rails/commit/b8a1665824a43d71cd6406cf9adcae842ceb1c22.patch
+    - https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
+    - https://github.com/advisories/GHSA-p9fm-f462-ggrg
