Active Storage is a Rails framework component that enables attaching cloud and local files to applications. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, a vulnerability exists in the proxy delivery mode where the proxy controller processes HTTP Range requests by loading the entire requested byte range into memory before streaming it to the client. If an attacker sends a Range header with a large or unbounded value (e.g., bytes=0-), the server attempts to allocate memory proportional to the requested file size. This can cause excessive memory consumption, potentially exhausting server resources and leading to denial-of-service conditions. The vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value). It requires no authentication or user interaction and can be triggered remotely over the network. The CVSS 4.0 base score is 6.6 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability. No known exploits are reported in the wild as of publication. The issue is resolved in Rails versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 by limiting memory allocation or changing how byte ranges are handled in proxy delivery mode.

This vulnerability can lead to denial-of-service attacks against web applications using vulnerable versions of Rails Active Storage with proxy delivery enabled. An attacker can cause the server to consume excessive memory by sending crafted HTTP Range requests, potentially crashing the application or degrading service availability. This impacts the availability of applications, potentially causing downtime or degraded performance. Organizations relying on Rails for file handling, especially those exposing Active Storage proxy delivery publicly, are at risk. The vulnerability does not directly compromise confidentiality or integrity but can disrupt business operations and user access. Large-scale or automated exploitation could affect cloud-hosted services, SaaS providers, and any Rails-based web applications globally. The ease of exploitation and lack of required authentication increase the risk of opportunistic attacks.

The primary mitigation is to upgrade Rails Active Storage to versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, where the vulnerability is patched. Until upgrading, organizations should consider disabling Active Storage proxy delivery mode if feasible or restrict access to it via network controls such as firewalls or web application firewalls (WAFs) that can detect and block suspicious Range headers. Implement rate limiting on HTTP requests to reduce the risk of memory exhaustion attacks. Monitoring application logs for unusually large or malformed Range headers can help detect exploitation attempts. Additionally, configuring memory limits and resource quotas at the application or container level can prevent a single request from exhausting server memory. Security teams should audit their Rails applications to identify usage of Active Storage proxy delivery and prioritize patching accordingly.