Rails Active Storage Denial-of-Service Vulnerability via Unbounded Range Requests

A denial-of-service vulnerability has been identified in Rails Active Storage versions 8.1.2.1, 8.0.4.1, and prior to 7.2.3.1. When files are served through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. This behavior can be exploited by sending a request with a large or unbounded Range header, such as 'bytes=0-', causing the server to allocate memory proportional to the file size. This memory exhaustion can lead to a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause memory exhaustion on the server, potentially leading to a denial-of-service condition where the server becomes unresponsive or unable to handle requests.

Reproduction

To reproduce this vulnerability, send a request to the Active Storage proxy controller with a Range header that specifies a large or unbounded byte range. This can be done using a tool like curl or Postman, or by writing a script that sends the appropriate HTTP request. The server will respond with a 'Range Not Satisfiable' status, but the vulnerability can still be exploited by monitoring the server's memory usage.

Remediation

Users can upgrade to Rails Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 to address this vulnerability.