All CarrierWave CVEs — Complete Vulnerability History
CarrierWave handles file uploads in Rails applications. File upload libraries are high-value attack targets — arbitrary file overwrite and directory traversal are the main risks.
Ruby
500K+ weekly downloads
2 CVEs total
1 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-21305 | 2021 | HIGH | Code injection via crafted SVG file | Fixed 2.1.1 |
| CVE-2023-49090 | 2023 | CRITICAL | Directory traversal via crafted file upload | Fixed 3.0.7 |
Current safe version: 3.0.7
# Before gem 'carrierwave', '2.2.2'
# After gem 'carrierwave', '3.0.7'
Then run: bundle install
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How do I secure file uploads in Rails?
Always validate file types server-side (not just by extension), store uploaded files outside the web root, use CarrierWave's content_type_allowlist to restrict accepted MIME types, and process images through a sanitiser before storage.