AIKIDO-2026-10930
carrierwave is vulnerable to Content-Type Denylist Bypass
47
Medium Risk
This Affects:
carrierwaveTL;DR
CarrierWave checks content_type_denylist (and the legacy content_type_blacklist alias on older branches) by building a Ruby regex from each string denylist entry without escaping metacharacters. MIME types such as image/svg+xml use + literally, but the unquoted pattern treats + as a quantifier so the denylist never matches and uploads that developers expect to block are accepted. An attacker can upload SVG or other denied types and, when those files are served to browsers, achieve stored cross-site scripting. The patch quotes string entries with Regexp.quote before matching, consistent with the allowlist implementation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
carrierwave is vulnerable to Content-Type Denylist Bypass in versions 0.0.1 - 2.2.6 and 3.0.0 - 3.1.2.
How to fix this
Upgrade the carrierwave library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant