Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33202 is a security vulnerability in Ruby on Rails' Active Storage DiskService, specifically in the `DiskService#delete_prefixed` method."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because this method passes blob keys directly to the Ruby method `Dir.glob` without escaping special glob metacharacters such as `*`, `?`, `[`, `]`, `{`, `}`, and `\\`.'}, {'type': 'paragraph', 'content': 'If blob keys contain attacker-controlled input or custom-generated keys with these glob metacharacters, it can cause `Dir.glob` to match and delete unintended files beyond the intended scope.'}, {'type': 'paragraph', 'content': 'This is effectively a glob injection attack that can lead to unintended file deletions within the storage directory.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by introducing a method to escape all glob metacharacters in the file path before passing it to `Dir.glob`, ensuring only the intended files are matched and deleted.'}] [1, 2, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unintended deletion of files within the storage directory of a Rails application using Active Storage.

If an attacker can control or influence blob keys containing glob metacharacters, they could cause the application to delete files outside the intended scope.

This may result in data loss or unauthorized removal of files, potentially disrupting application functionality or causing loss of important data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from the use of unescaped glob metacharacters in blob keys passed to the DiskService#delete_prefixed method in Ruby on Rails Active Storage. To detect if your system is vulnerable, you should check the version of Rails Active Storage in use and whether it is prior to the patched versions 8.1.2.1, 8.0.4.1, or 7.2.3.1.

Additionally, you can audit your storage directory for files or blob keys containing glob metacharacters such as *, ?, [, ], {, }, and \ which could be exploited.

Since the vulnerability involves file deletion via glob pattern expansion, you can look for suspicious deletion logs or unexpected file removals in your storage directory.

There are no specific commands provided in the resources to detect the vulnerability directly on your system or network.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade your Ruby on Rails Active Storage to one of the patched versions: 8.1.2.1, 8.0.4.1, or 7.2.3.1, which include a fix that escapes all glob metacharacters in blob keys before passing them to Dir.glob.

This fix prevents unintended file deletions caused by glob injection attacks by neutralizing the special meaning of glob metacharacters in blob keys.

If immediate upgrade is not possible, review and sanitize any custom-generated blob keys or user inputs to ensure they do not contain glob metacharacters.

Audit your storage directory for any suspicious file deletions and consider implementing additional monitoring or access controls to limit the impact of potential exploitation.

Useful 0 Not Useful 0