paperclip 3.4.0

3 security vulnerabilities found in version 3.4.0

Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.

critical severity CVE-2017-0889
critical severity CVE-2017-0889
Patched versions: >= 5.2.0

Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in. The library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits by default. This may allow a remote attacker to access information about internal network resources.

Paperclip: Access Restriction Bypass

high severity OSVDB-103151
high severity OSVDB-103151
Patched versions: >= 4.0.0

Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly validate the file extension, instead only validating the Content-Type header during file uploads. This may allow a remote attacker to bypass restrictions on file types for uploaded files by spoofing the content-type.

Paperclip Gem for Ruby vulnerable to content type spoofing

medium severity CVE-2015-2963
medium severity CVE-2015-2963
Patched versions: >= 4.2.2

There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.