Listen to this Post
The vulnerability exists in DiskServicedelete_prefixed, a method used by Active Storage to delete all blobs sharing a given prefix. The method constructs a filesystem path and passes it directly to `Dir.glob` without sanitizing glob metacharacters (“, ?, [], {}, etc.). If an attacker can control part of a blob key—or if custom key generation introduces these characters—the glob pattern may expand beyond the intended directory scope. For example, a key like `../../` or `../sensitive/` could cause the service to delete arbitrary files outside the storage directory. The issue affects versions prior to the patched releases: 7.2.3.1, 8.0.4.1, and 8.1.2.1. The fix introduces escaping of glob metacharacters, ensuring that keys are treated as literal strings rather than patterns. The attack requires that the application allows user input to influence blob keys (e.g., via custom filenames or metadata) and that the application calls `delete_prefixed` with such keys. Because the storage directory is typically isolated, the risk is moderate but can lead to data loss or application disruption if exploited.
Platform: Rails
Version: <7.2.3.1,<8.0.4.1,<8.1.2.1
Vulnerability : Glob Injection
Severity: Moderate
date: Mar 23 2026
Prediction: Already patched
Analytics under What Undercode Say:
Check current Rails version rails -v List affected versions gem list rails | grep -E "7.2.[0-3]|8.0.[0-3]|8.1.[0-2]" Update to patched version bundle update rails --patch Verify vulnerable method usage in code grep -r "delete_prefixed" app/ lib/
Exploit:
Attacker-controlled blob key with glob metacharacters key = "../../../tmp/secret.txt" If the app calls DiskService.delete_prefixed(key) Dir.glob expands and deletes unintended files.
Protection from this CVE
- Upgrade to Rails 7.2.3.1, 8.0.4.1, or 8.1.2.1.
- If patching is delayed, avoid user input in blob keys passed to
delete_prefixed. - Sanitize keys manually: `key.gsub(/[?{}\[\]]/, “\\\\\\0”)` before deletion.
- Use alternative storage services (e.g., S3) that do not rely on globbing.
Impact:
An attacker could delete arbitrary files within the storage directory (or outside if path traversal is combined), leading to data loss, service disruption, or unintended deletion of application assets.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

