Listen to this Post
The vulnerability resides in Active Storage’s Blobs::ProxyController, which is used when serving files in proxy mode. When a client sends an HTTP request with a `Range` header, the controller reads the entire requested byte range into memory before streaming it back. A malicious actor can craft a `Range` header that is unbounded—for example, bytes=0-—which instructs the server to load the whole file into RAM. Because the controller does not validate or cap the requested range, this forces the server to allocate memory proportional to the file size. If an attacker repeatedly issues such requests against large files, the cumulative memory consumption can exhaust available memory, leading to a denial of service (DoS). The issue affects Rails versions 8.1.0.beta1 through 8.1.2.0, 8.0.0.beta1 through 8.0.4.0, and all versions below 7.2.3.1. The fix introduces validation to reject or safely handle malformed and unbounded range requests, preventing excessive memory allocation. Patched releases (8.1.2.1, 8.0.4.1, 7.2.3.1) were made available on March 23, 2026.
Platform: Rails ActiveStorage
Version: Multiple versions affected
Vulnerability : DoS via Range
Severity: Moderate
date: Mar 23 2026
Prediction: Patch already released
What Undercode Say:
Check current Rails version rails -v Test for vulnerability (simulate unbounded Range request) curl -H "Range: bytes=0-" http://localhost:3000/rails/active_storage/blobs/proxy/<blob-id>/file Identify affected gem versions gem list rails | grep -E "7.2.[0-2]|8.0.[0-3]|8.1.[0-1]" Quick fix: upgrade to patched version bundle update rails --conservative
Exploit:
An attacker sends a GET request to the proxy endpoint with a `Range: bytes=0-` header. The server loads the entire file into memory, causing excessive memory consumption. Repeated requests with large files lead to memory exhaustion and service unavailability.
Protection from this CVE:
Upgrade to Rails 7.2.3.1, 8.0.4.1, or 8.1.2.1. Alternatively, apply the relevant patch or disable proxy mode if not required.
Impact:
Denial of service (DoS) through memory exhaustion, potentially taking down the Rails application under sustained attack.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

