Skip to main content

CVE-2026-33658

| EUVDEUVD-2026-16426 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-25 https://github.com/rails/rails
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 21:17 euvd
EUVD-2026-16426
Analysis Generated
Mar 25, 2026 - 21:17 vuln.today
CVE Published
Mar 25, 2026 - 21:04 nvd
LOW 2.3

DescriptionGitHub Advisory

Impact

Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

Rails Active Storage's proxy controller fails to limit the number of byte ranges accepted in HTTP Range headers, allowing attackers to craft requests with thousands of small ranges that consume disproportionate CPU resources compared to legitimate file requests. This denial-of-service vulnerability affects Ruby on Rails applications using the ActiveStorage library (pkg:rubygems/activestorage). An attacker can trigger resource exhaustion by sending Range requests with many byte ranges, potentially rendering the application unavailable to legitimate users.

Technical ContextAI

The vulnerability exists in Rails Active Storage, a Ruby library for handling file uploads and attachments in Rails applications (CPE: pkg:rubygems/activestorage). The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), which describes the failure to implement proper input validation and resource constraints. The HTTP Range header, defined in RFC 7233, allows clients to request specific byte ranges of a file; however, Active Storage's proxy controller lacks validation to restrict the number of ranges per request. When a client sends a malformed or malicious Range header specifying thousands of small byte ranges, the server attempts to process each range individually, leading to CPU exhaustion and algorithmic complexity attacks that degrade far beyond the cost of a normal full-file request.

RemediationAI

Upgrade the ActiveStorage gem to the fixed version released by the Rails team; consult https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg for specific patched versions and run bundle update activestorage in your Rails application. As an interim mitigation if patching is delayed, implement HTTP request filtering at the reverse proxy or web server level (e.g., nginx, Apache) to reject Range headers with excessive byte-range specifications (e.g., more than 10-20 ranges per request), or temporarily disable Range request support if not critical for your use case. Additionally, monitor CPU usage on Active Storage proxy endpoints for anomalous patterns indicative of range-based DoS attacks.

Share

CVE-2026-33658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy