CVE-2026-33658 (activestorage): Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range reque...

The RubyLA blog offers insights, tutorials, and community updates for Ruby developers in Los Angeles and beyond. Developers can explore Ruby language features, web development frameworks, and best practices for building Ruby applications. Additionally, the blog covers Ruby meetups, events, and job opportunities in the Los Angeles area, fostering collaboration and networking within the local Ruby community.

RUBYLAND

A DoS vulnerability (CVE-2026-33658) has been disclosed in Rails Active Storage's proxy controller. The controller fails to limit the number of byte ranges in an HTTP Range header, allowing attackers to send requests with thousands of small ranges, causing disproportionate CPU usage. Patched versions are ~> 7.2.3.1, ~> 8.0.4.1, and >= 8.1.2.1.

CVE-2026-33658 (activestorage): Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests