CVE-2026-44587
Received Received - Intake
Content Type Bypass in CarrierWave via Regex Metacharacters

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-44587
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carrierwaveuploader carrierwave to 3.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44587 is a vulnerability in the CarrierWave Ruby gem related to its content_type_denylist feature. The issue arises because string entries in the denylist are directly inserted into a regular expression without escaping special regex characters like '+'. For example, the MIME type 'image/svg+xml' is turned into the regex pattern /image\/svg+xml/, where '+' is treated as a quantifier rather than a literal character. This causes the denylist to fail to match and block certain content types it is supposed to deny.

As a result, applications relying on this denylist to block dangerous content types, such as SVG files that can contain embedded JavaScript, are left unprotected. Attackers can exploit this by uploading malicious SVG files that execute stored cross-site scripting (XSS) attacks when served inline from the application's origin.

The vulnerability affects CarrierWave versions prior to 2.2.7 and 3.1.3 and has been fixed by properly escaping regex metacharacters and anchoring the regex patterns.

Impact Analysis

This vulnerability can allow an attacker to bypass content type restrictions intended to block certain file uploads, such as SVG files containing malicious JavaScript.

If an attacker uploads a crafted SVG file and the application serves it inline from its own origin, the embedded script can execute in the victim's browser, resulting in a stored cross-site scripting (XSS) attack.

Such an attack can lead to unauthorized actions performed in the context of the victim user, potentially compromising confidentiality and user trust.

The CVSS score of 4.7 indicates a moderate severity, with the attack requiring network access and user interaction but no privileges.

Detection Guidance

This vulnerability involves the failure of the content_type_denylist check to properly block certain MIME types containing regex metacharacters, such as image/svg+xml. Detection involves verifying if your application is using vulnerable versions of the CarrierWave gem (prior to 2.2.7 and 3.1.3) and if it relies on content_type_denylist to block content types like SVG.

To detect exploitation attempts or presence of malicious files, you can search your uploaded files or logs for SVG files or other MIME types that should have been blocked but were accepted.

  • Check the CarrierWave gem version in your application dependencies: `bundle list | grep carrierwave` or `gem list carrierwave`.
  • Search for uploaded SVG files or files with MIME type image/svg+xml in your upload directories: `find /path/to/uploads -type f -name '*.svg'`.
  • Inspect web server or application logs for requests uploading SVG files or other suspicious content types.
  • If you have access to the application code, review the content_type_denylist implementation to see if it properly escapes regex metacharacters.
Mitigation Strategies

The primary mitigation is to upgrade the CarrierWave gem to version 2.2.7 or 3.1.3 or later, where the vulnerability has been fixed by properly escaping regex metacharacters in the content_type_denylist.

If upgrading immediately is not possible, consider temporarily disabling or modifying the content_type_denylist to avoid relying on string entries that contain regex metacharacters, or implement additional server-side validation to block dangerous MIME types like image/svg+xml.

Review and sanitize all uploaded files, especially SVG files, to prevent stored XSS attacks.

  • Upgrade CarrierWave gem to version 2.2.7 or 3.1.3+.
  • Apply patches or fixes that escape regex metacharacters in denylist entries as shown in the official commits.
  • Implement additional validation or filtering on uploaded files to block or sanitize SVG and other risky content types.
Compliance Impact

The vulnerability in CarrierWave allows attackers to bypass the content_type_denylist check, enabling the upload of malicious SVG files containing arbitrary JavaScript. If such files are served inline from the application's origin, this can lead to stored cross-site scripting (XSS) attacks.

Stored XSS vulnerabilities can lead to unauthorized script execution in users' browsers, potentially resulting in unauthorized access to sensitive data or session hijacking.

Such unauthorized access or data exposure could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

Therefore, applications relying on the vulnerable versions of CarrierWave and its content_type_denylist feature may be at increased risk of non-compliance with these standards due to the potential for stored XSS attacks and consequent data confidentiality issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart