Listen to this Post
The vulnerability resides in Active Storage’s `DiskServicepath_for` method. This method constructs a filesystem path by appending a blob key to a configured storage root directory without any validation. Under normal conditions blob keys are trusted internal strings, but when an application passes unsanitized user input as a key, an attacker can supply a key containing path traversal sequences like ../. Because the method does not verify that the resolved path remains inside the storage root, an attacker can traverse out of the intended directory. This enables arbitrary file read, write, or delete operations on the server. Affected versions include Rails 8.1.0.beta1 through 8.1.2.0, 8.0.0.beta1 through 8.0.4.0, and all versions prior to 7.2.3.1. The fix introduces a validation step that checks the resolved path stays within the storage root. Patched versions are 8.1.2.1, 8.0.4.1, and 7.2.3.1. The vulnerability is classified as high severity due to the potential for full filesystem compromise.
Platform: Rails
Version: 7.2,8.0,8.1
Vulnerability: Path Traversal
Severity: High
date: March 23, 2026
Prediction: Patched March 23
What Undercode Say:
Test for vulnerable path traversal using a crafted blob key curl -X POST https://target.com/rails/active_storage/disk/ \ -F "blob_key=../../../etc/passwd" \ -F "[email protected]"
Vulnerable code snippet (DiskServicepath_for) def path_for(key) File.join(root, key) end Patched code adds validation def path_for(key) full_path = File.join(root, key) unless full_path.start_with?(root) raise "Invalid key" end full_path end
How Exploit:
Craft a blob key containing `../` sequences to escape the storage root, then use Active Storage endpoints to read, write, or delete arbitrary files (e.g., /etc/passwd, application secrets, or critical system files).
Protection from this CVE
Upgrade to patched versions 7.2.3.1, 8.0.4.1, or 8.1.2.1. If upgrading is not possible, validate all user-supplied blob keys against a strict whitelist and ensure they never contain path traversal characters.
Impact
Arbitrary file read, write, and deletion on the server filesystem, potentially leading to sensitive data exposure, code execution, or complete system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

