DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33174: CVE-2026-33174: Denial of Service via Unbounded Memory Allocation in Rails Active Storage

#security #cve #cybersecurity

CVE-2026-33174: Denial of Service via Unbounded Memory Allocation in Rails Active Storage

Vulnerability ID: CVE-2026-33174
CVSS Score: 6.6
Published: 2026-03-23

Rails Active Storage is vulnerable to a denial of service attack due to improper handling of HTTP Range headers in proxy mode. By supplying an unbounded byte range, an attacker can force the application to perform excessive memory allocation, leading to process termination via the Out-Of-Memory (OOM) killer.

TL;DR

Unbounded HTTP Range requests in Rails Active Storage proxy mode cause excessive heap allocations. This leads to Out-of-Memory (OOM) crashes and Denial of Service. Administrators must patch to versions 7.2.3.1, 8.0.4.1, or 8.1.2.1.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-789
  • Attack Vector: Network
  • CVSS v4.0 Score: 6.6 (Medium)
  • Impact: Denial of Service (Availability)
  • Exploit Status: Proof of Concept
  • CISA KEV: Not Listed

Affected Systems

  • Ruby on Rails Active Storage (activestorage gem)
  • activestorage: < 7.2.3.1 (Fixed in: 7.2.3.1)
  • activestorage: >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • activestorage: >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)

Code Analysis

Commit: 42012ea

Fix memory exhaustion in Active Storage proxy mode (8.1.x)

Commit: 2cd933c

Fix memory exhaustion in Active Storage proxy mode (8.0.x)

Commit: 8159a9c

Fix memory exhaustion in Active Storage proxy mode (7.2.x)

Mitigation Strategies

  • Upgrade to patched versions of the activestorage gem.
  • Configure lower chunk max size via ActiveStorage.streaming_chunk_max_size for constrained environments.
  • Configure max ranges via ActiveStorage.streaming_max_ranges to prevent aggregate allocation attacks.
  • Utilize WAF rules to drop malicious Range headers on proxy endpoints if unpatched.

Remediation Steps:

  1. Identify the current version of the activestorage gem in the application's Gemfile.lock.
  2. Update the Gemfile to specify a secure version (e.g., '~> 8.1.2.1').
  3. Run 'bundle update activestorage' to apply the patch.
  4. Review config/environments/production.rb and adjust streaming_chunk_max_size based on worker memory limits.
  5. Deploy the updated application to the production environment.

References

Read the full report for CVE-2026-33174 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)