-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-33173.yml
More file actions
31 lines (30 loc) · 1.28 KB
/
CVE-2026-33173.yml
File metadata and controls
31 lines (30 loc) · 1.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
---
gem: activestorage
framework: rails
cve: 2026-33173
ghsa: qcfx-2mfw-w4cg
url: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
title: Rails Active Storage has possible content type bypass via metadata in direct
uploads
date: 2026-03-23
description: |
### Impact
Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob.
Because internal flags like `identified` and `analyzed` are stored in the same metadata hash,
a malicious direct-upload client could set these flags.
### Releases
The fixed releases are available at the normal locations.
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
- ">= 8.1.2.1"
related:
url:
- https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
- https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
- https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
- https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/advisories/GHSA-qcfx-2mfw-w4cg