DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33173: CVE-2026-33173: Content Type Bypass via Metadata Injection in Rails Active Storage

#security #cve #cybersecurity

CVE-2026-33173: Content Type Bypass via Metadata Injection in Rails Active Storage

Vulnerability ID: CVE-2026-33173
CVSS Score: 5.3
Published: 2026-03-23

Ruby on Rails Active Storage versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1 contain an insecure parameter handling vulnerability in the DirectUploadsController. Attackers can inject internal state flags into the metadata JSON column during file upload initialization, bypassing server-side content type verification and enabling the upload of malicious payloads such as HTML files masquerading as benign images.

TL;DR

A parameter injection flaw in Rails Active Storage allows attackers to bypass file type validation by setting internal metadata flags (e.g., 'identified: true') during direct uploads. This enables the uploading of dangerous file types, leading to potential Stored Cross-Site Scripting (XSS).

Technical Details

  • CWE ID: CWE-915
  • Attack Vector: Network
  • CVSS v4.0: 5.3
  • Impact: Content Type Bypass / Stored XSS
  • Exploit Status: None
  • CISA KEV: False

Affected Systems

  • Ruby on Rails
  • Active Storage
  • Rails Active Storage: < 7.2.3.1 (Fixed in: 7.2.3.1)
  • Rails Active Storage: >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • Rails Active Storage: >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)

Code Analysis

Commit: d9502f5

Fix Commit (8.1.x)

Commit: 8fcb934

Fix Commit (8.0.x)

Commit: 707c0f1

Fix Commit (7.2.x)

Mitigation Strategies

  • Upgrade the Ruby on Rails application to a patched version (7.2.3.1, 8.0.4.1, 8.1.2.1).
  • Implement an interim before_action filter on the direct uploads controller to strip protected metadata keys.
  • Enforce strict Content-Security-Policy (CSP) headers for domains serving user uploads.
  • Configure cloud storage providers to enforce Content-Disposition: attachment headers on untrusted files.

Remediation Steps:

  1. Modify the Gemfile to require Rails version >= 7.2.3.1, >= 8.0.4.1, or >= 8.1.2.1.
  2. Execute bundle update rails to fetch the patched dependencies.
  3. Run the application test suite to verify no regressions exist in the file upload pipeline.
  4. Deploy the updated application code to all production and staging environments.

References

Read the full report for CVE-2026-33173 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)