Primary

Context

Rails Active Storage HTTP Range Header DoS Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in Rails Active Storage versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. The issue arises in the proxy controller, which fails to limit the number of byte ranges in an HTTP Range header. This oversight allows requests with thousands of small ranges to cause excessive CPU usage, disproportionately affecting server performance compared to normal file requests.

Impact

Exploitation of this vulnerability can lead to significant increased CPU usage, causing a denial-of-service condition on the server.

Remediation

Users can upgrade to Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 to address this vulnerability.

Added: Mar 26, 2026, 10:46 PM

Updated: Mar 26, 2026, 10:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

4.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

4.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rails Active Storage HTTP Range Header DoS Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating