Added new Rails vulnerabilities

[jamgregory]

I've added some new Rails vulnerabilities that GitHub security scanning has alerted me to.

[wlads]

I think the YAML indentation might need adjustment. It should follow a structure like: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml

[jasnow]

What happened to: https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906 ?

I sse it in: https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released

[postmodern]

@jamgregory this is the second time you have submitted advisories with incorrect indentation. Please be more careful and review the files before submitting a PR. See the CONTRIBUTING file for YAML style guidelines.

[jamgregory]

What happened to: https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906 ?

I sse it in: https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released

I'm not sure @jasnow - it didn't seem to be exported by the GHSA sync script, unless I missed it when bringing in the changes 🤔

I think the YAML indentation might need adjustment. It should follow a structure like: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml

Thanks for your feedback @wlads - I was using the GHSA sync script provided in the repository, so I'm not sure why the indentation wasn't correct.

@jamgregory this is the second time you have submitted advisories with incorrect indentation. Please be more careful and review the files before submitting a PR. See the CONTRIBUTING file for YAML style guidelines.

Thanks for your feedback @postmodern - this was the output that was generated by the GHSA sync script in this repository. I had reviewed the files and run the tests (which passed locally) before I committed it, so I assumed the output was correct.

Can any of you advise if you use any other linting tools before committing these to the repository? It seems like the sync script doesn't generate correct output so I'd like to ensure I'm following the same processes you all are. Should the tests be flagging up lines that are over 80 characters, for example?

[jasnow]

any of you advise if you use any other linting tools before committing these to the repository? It seems like the sync script doesn't generate correct output so I'd like to ensure I'm following the same processes you all are. Should the tests be flagging up lines that are over 80 characters, for example?

yamllint file

[jamgregory]

any of you advise if you use any other linting tools before committing these to the repository? It seems like the sync script doesn't generate correct output so I'd like to ensure I'm following the same processes you all are. Should the tests be flagging up lines that are over 80 characters, for example?

yamllint file

I've just tried yamllint 1.33.0 with gems/activesupport/CVE-2026-33176.yml, and it returned no issues unfortunately 😞

[mattalat]

Sorry if this isn't the right place to ask, but should the "~> 8.0.4.1" pins be updated to ">= 8.0.4.1"? Rails 8.0.5 was released a couple of days ago.

[jasnow]

Sorry if this isn't the right place to ask, but should the "~> 8.0.4.1" pins be updated to ">= 8.0.4.1"? Rails 8.0.5 was [released a couple of days ago]

Look at the other advisories in the repo - note that only the more recent release uses ">=" and the rest use "~>".

[mattalat]

Look at the other advisories in the repo - note that only the more recent release uses ">=" and the rest use "~>".

I see, thanks. Since 8.0.5 should resolve the advisory the but is not included in the advisory solutions, would it be more appropriate to request that the scraper be run again for this PR?

[jasnow]

Look at the other advisories in the repo - note that only the more recent release uses ">=" and the rest use "~>".

I see, thanks. Since 8.0.5 should resolve the advisory the but is not included in the advisory solutions, would it be more appropriate to request that the scraper be run again for this PR?

Please provide an example public repo with rails 8.0.5. Then I will run "bundle audit" to see if it is a problem.

[mattalat]

Look at the other advisories in the repo - note that only the more recent release uses ">=" and the rest use "~>".

I see, thanks. Since 8.0.5 should resolve the advisory the but is not included in the advisory solutions, would it be more appropriate to request that the scraper be run again for this PR?

Please provide an example public repo with rails 8.0.5. Then I will run "bundle audit" to see if it is a problem.

https://github.com/mattalat/rails-8.0.5-example

[jasnow]

Look at the other advisories in the repo - note that only the more recent release uses ">=" and the rest use "~>".

I see, thanks. Since 8.0.5 should resolve the advisory the but is not included in the advisory solutions, would it be more appropriate to request that the scraper be run again for this PR?

Please provide an example public repo with rails 8.0.5. Then I will run "bundle audit" to see if it is a problem.

https://github.com/mattalat/rails-8.0.5-example

Is this the problem?

If you run bundle audit check, you get:

Name: activestorage
Version: 8.0.5
CVE: CVE-2026-33658
GHSA: GHSA-p9fm-f462-ggrg
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
Title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Solution: update to '~> 7.2.3.1', '~> 8.0.4.1', '>= 8.1.2.1'

[mattalat]

Is this the problem?

If you run bundle audit check, you get:

Name: activestorage
Version: 8.0.5
CVE: CVE-2026-33658
GHSA: GHSA-p9fm-f462-ggrg
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
Title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Solution: update to '~> 7.2.3.1', '~> 8.0.4.1', '>= 8.1.2.1'

Yes, I believe >= 8.0.5 should be included. That would satisfy the Rails advisory. Currently, 8.0.5 is incorrectly considered vulnerable.

[jasnow]

Is this the problem?
If you run bundle audit check, you get:

Name: activestorage
Version: 8.0.5
CVE: CVE-2026-33658
GHSA: GHSA-p9fm-f462-ggrg
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
Title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Solution: update to '~> 7.2.3.1', '~> 8.0.4.1', '>= 8.1.2.1'

Yes, I believe >= 8.0.5 should be included. That would satisfy the Rails advisory. Currently, 8.0.5 is incorrectly considered vulnerable.

@postmodern approves and merged into this repo : #1023

[postmodern]

~> X.Y.Z.W version constraints will exclude the X.Y.Z+1 version and above. Better to use ~> X.Y.Z, >= X.Y.Z.W.