Rails Active Storage, Glob Injection, CVE (pending) (Moderate)

Listen to this Post

The vulnerability exists in DiskServicedelete_prefixed, a method used by Active Storage to delete all blobs sharing a given prefix. The method constructs a filesystem path and passes it directly to `Dir.glob` without sanitizing glob metacharacters (“, ?, [], {}, etc.). If an attacker can control part of a blob key—or if custom key generation introduces these characters—the glob pattern may expand beyond the intended directory scope. For example, a key like `../../` or `../sensitive/` could cause the service to delete arbitrary files outside the storage directory. The issue affects versions prior to the patched releases: 7.2.3.1, 8.0.4.1, and 8.1.2.1. The fix introduces escaping of glob metacharacters, ensuring that keys are treated as literal strings rather than patterns. The attack requires that the application allows user input to influence blob keys (e.g., via custom filenames or metadata) and that the application calls `delete_prefixed` with such keys. Because the storage directory is typically isolated, the risk is moderate but can lead to data loss or application disruption if exploited.
Platform: Rails
Version: <7.2.3.1,<8.0.4.1,<8.1.2.1
Vulnerability : Glob Injection
Severity: Moderate
date: Mar 23 2026

Prediction: Already patched

Analytics under What Undercode Say:

Check current Rails version
rails -v
List affected versions
gem list rails | grep -E "7.2.[0-3]|8.0.[0-3]|8.1.[0-2]"
Update to patched version
bundle update rails --patch
Verify vulnerable method usage in code
grep -r "delete_prefixed" app/ lib/

Exploit:

Attacker-controlled blob key with glob metacharacters
key = "../../../tmp/secret.txt"
If the app calls DiskService.delete_prefixed(key)
Dir.glob expands and deletes unintended files.

Protection from this CVE

  • Upgrade to Rails 7.2.3.1, 8.0.4.1, or 8.1.2.1.
  • If patching is delayed, avoid user input in blob keys passed to delete_prefixed.
  • Sanitize keys manually: `key.gsub(/[?{}\[\]]/, “\\\\\\0”)` before deletion.
  • Use alternative storage services (e.g., S3) that do not rely on globbing.

Impact:

An attacker could delete arbitrary files within the storage directory (or outside if path traversal is combined), leading to data loss, service disruption, or unintended deletion of application assets.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top