GHSA-73f9-jhhh-hr5m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-73f9-jhhh-hr5m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-73f9-jhhh-hr5m/GHSA-73f9-jhhh-hr5m.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-73f9-jhhh-hr5m
- Aliases
- Related
- Published
- 2026-03-23T21:18:56Z
- Modified
- 2026-03-25T20:46:25.589672Z
- Severity
-
- 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Rails Active Storage has possible glob injection in its DiskService
- Details
-
Impact
Active Storage's
DiskService#delete_prefixedpasses blob keys directly toDir.globwithout escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.Releases
The fixed releases are available at the normal locations.
- Database specific
{ "nvd_published_at": "2026-03-24T00:16:29Z", "cwe_ids": [ "CWE-74" ], "github_reviewed_at": "2026-03-23T21:18:56Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
- https://nvd.nist.gov/vuln/detail/CVE-2026-33202
- https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
- https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
- https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
- https://github.com/rails/rails
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
Affected packages
RubyGems / activestorage
Package
- Name
- activestorage
- Purl
- pkg:gem/activestorage
RubyGems / activestorage
Package
- Name
- activestorage
- Purl
- pkg:gem/activestorage
RubyGems / activestorage
Package
- Name
- activestorage
- Purl
- pkg:gem/activestorage
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.2.3.1
Affected versions
0.*
0.1
5.*
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.5
5.2.6
5.2.6.1
5.2.6.2
5.2.6.3
5.2.7
5.2.7.1
5.2.8
5.2.8.1
6.*
6.0.0.beta1
6.0.0.beta2
6.0.0.beta3
6.0.0.rc1
6.0.0.rc2
6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6
6.0.4.7
6.0.4.8
6.0.5
6.0.5.1
6.0.6
6.0.6.1
6.1.0.rc1
6.1.0.rc2
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6
6.1.4.7
6.1.5
6.1.5.1
6.1.6
6.1.6.1
6.1.7
6.1.7.1
6.1.7.2
6.1.7.3
6.1.7.4
6.1.7.5
6.1.7.6
6.1.7.7
6.1.7.8
6.1.7.9
6.1.7.10
7.*
7.0.0.alpha1
7.0.0.alpha2
7.0.0.rc1
7.0.0.rc2
7.0.0.rc3
7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2
7.0.2.3
7.0.2.4
7.0.3
7.0.3.1
7.0.4
7.0.4.1
7.0.4.2
7.0.4.3
7.0.5
7.0.5.1
7.0.6
7.0.7
7.0.7.1
7.0.7.2
7.0.8
7.0.8.1
7.0.8.2
7.0.8.3
7.0.8.4
7.0.8.5
7.0.8.6
7.0.8.7
7.0.10
7.1.0.beta1
7.1.0.rc1
7.1.0.rc2
7.1.0
7.1.1
7.1.2
7.1.3
7.1.3.1
7.1.3.2
7.1.3.3
7.1.3.4
7.1.4
7.1.4.1
7.1.4.2
7.1.5
7.1.5.1
7.1.5.2
7.1.6
7.2.0.beta1
7.2.0.beta2
7.2.0.beta3
7.2.0.rc1
7.2.0
7.2.1
7.2.1.1
7.2.1.2
7.2.2
7.2.2.1
7.2.2.2
7.2.3