CVE-2026-33658 (Medium) detected in activestorage-8.0.4.gem

[mend-bolt-for-github]

CVE-2026-33658 - Medium Severity Vulnerability

Vulnerable Library - activestorage-8.0.4.gem

Attach cloud and local files in Rails applications.

Library home page: https://rubygems.org/gems/activestorage-8.0.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/activestorage-8.0.4.gem

Dependency Hierarchy:

• gettext_i18n_rails_js-1.3.1.gem (Root Library)
  • rails-8.0.4.gem
    • ❌ activestorage-8.0.4.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Releases The fixed releases are available at the normal locations.

Publish Date: 2026-03-25

URL: CVE-2026-33658

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here