Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.
Releases
The fixed releases are available at the normal locations.
AnalysisAI
Rails Active Storage's proxy controller fails to limit the number of byte ranges accepted in HTTP Range headers, allowing attackers to craft requests with thousands of small ranges that consume disproportionate CPU resources compared to legitimate file requests. This denial-of-service vulnerability affects Ruby on Rails applications using the ActiveStorage library (pkg:rubygems/activestorage). An attacker can trigger resource exhaustion by sending Range requests with many byte ranges, potentially rendering the application unavailable to legitimate users.
Technical ContextAI
The vulnerability exists in Rails Active Storage, a Ruby library for handling file uploads and attachments in Rails applications (CPE: pkg:rubygems/activestorage). The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), which describes the failure to implement proper input validation and resource constraints. The HTTP Range header, defined in RFC 7233, allows clients to request specific byte ranges of a file; however, Active Storage's proxy controller lacks validation to restrict the number of ranges per request. When a client sends a malformed or malicious Range header specifying thousands of small byte ranges, the server attempts to process each range individually, leading to CPU exhaustion and algorithmic complexity attacks that degrade far beyond the cost of a normal full-file request.
RemediationAI
Upgrade the ActiveStorage gem to the fixed version released by the Rails team; consult https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg for specific patched versions and run bundle update activestorage in your Rails application. As an interim mitigation if patching is delayed, implement HTTP request filtering at the reverse proxy or web server level (e.g., nginx, Apache) to reject Range headers with excessive byte-range specifications (e.g., more than 10-20 ranges per request), or temporarily disable Range request support if not critical for your use case. Additionally, monitor CPU usage on Active Storage proxy endpoints for anomalous patterns indicative of range-based DoS attacks.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16426