ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection

Bug reported by kim siwong was disclosed at May 7, 2026, 2:04 pm   |   Path Traversal

A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation of the blob key parameter before constructing file paths. This could be exploited by an attacker who could influence the hash passed to the `.attach()` method.