Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-m42x-37p3-fv5w

GitHub Security Advisory

Circumvention of file size limits in ActiveStorage

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.

Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

Affected Packages

RubyGems activestorage
Affected versions: 5.0.0 (fixed in 5.2.4.3)
RubyGems activestorage
Affected versions: 6.0.0 (fixed in 6.0.3.1)

Related CVEs

CVE-2020-8162

Key Information

GHSA ID
GHSA-m42x-37p3-fv5w
Published
May 26, 2020 3:09 PM
Last Modified
July 5, 2023 7:19 PM
CVSS Score
7.5 /10
Primary Ecosystem
RubyGems
Primary Package
activestorage
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.