NIXPKGS-2026-0788

GitHub issue published on

Permalink CVE-2026-33658

updated 1 month, 1 week ago by @LeSuisse Activity log

Created suggestion 1 month, 1 week ago
@LeSuisse accepted 1 month, 1 week ago
@LeSuisse published on GitHub 1 month, 1 week ago

Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg x_refsource_CONFIRM
https://github.com/rails/rails/releases/tag/v7.2.3.1 x_refsource_MISC
https://github.com/rails/rails/releases/tag/v8.0.4.1 x_refsource_MISC
https://github.com/rails/rails/releases/tag/v8.1.2.1 x_refsource_MISC
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml x_refsource_MISC

Affected products

activestorage

==>= 8.1.0, < 8.1.2.1
==< 7.2.3.1
==>= 8.0.0, < 8.0.4.1

Matching in nixpkgs

pkgs.rubyPackages.activestorage

None

nixos-unstable 7.2.3
- nixpkgs-unstable 7.2.3
- nixos-unstable-small 7.2.3
nixos-25.11 7.2.3
- nixos-25.11-small 7.2.3
- nixpkgs-25.11-darwin 7.2.3

pkgs.rubyPackages_3_1.activestorage

None

pkgs.rubyPackages_3_2.activestorage

None

pkgs.rubyPackages_3_3.activestorage

None

nixos-unstable 7.2.3
- nixpkgs-unstable 7.2.3
- nixos-unstable-small 7.2.3
nixos-25.11 7.2.3
- nixos-25.11-small 7.2.3
- nixpkgs-25.11-darwin 7.2.3

pkgs.rubyPackages_3_4.activestorage

None

nixos-unstable 7.2.3
- nixpkgs-unstable 7.2.3
- nixos-unstable-small 7.2.3
nixos-25.11 7.2.3
- nixos-25.11-small 7.2.3
- nixpkgs-25.11-darwin 7.2.3

pkgs.rubyPackages_4_0.activestorage

None

nixos-unstable 7.2.3
- nixpkgs-unstable 7.2.3
- nixos-unstable-small 7.2.3
nixos-25.11 7.2.3
- nixos-25.11-small 7.2.3
- nixpkgs-25.11-darwin 7.2.3

Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0788

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.activestorage

pkgs.rubyPackages_3_1.activestorage

pkgs.rubyPackages_3_2.activestorage

pkgs.rubyPackages_3_3.activestorage

pkgs.rubyPackages_3_4.activestorage

pkgs.rubyPackages_4_0.activestorage