diff --git a/Gemfile.lock b/Gemfile.lock
index fe836915448372084bdb0adefa82732b623bbe19..162170219cde22722106aa0682cf1a69a51f6c7e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -177,10 +177,11 @@ GEM
     capybara-screenshot (1.0.22)
       capybara (>= 1.0, < 4)
       launchy
-    carrierwave (1.3.1)
+    carrierwave (1.3.2)
       activemodel (>= 4.0.0)
       activesupport (>= 4.0.0)
       mime-types (>= 1.16)
+      ssrf_filter (~> 1.0)
     cbor (0.5.9.6)
     character_set (1.4.0)
     charlock_holmes (0.7.7)
@@ -1210,6 +1211,7 @@ GEM
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
     sshkey (2.0.0)
+    ssrf_filter (1.0.7)
     stackprof (0.2.15)
     state_machines (0.5.0)
     state_machines-activemodel (0.8.0)
diff --git a/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml b/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4e31f9d855d546e53336e2b0479d3584bde68bb4
--- /dev/null
+++ b/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml
@@ -0,0 +1,5 @@
+---
+title: Bump Carrierwave gem to v1.3.2
+merge_request:
+author:
+type: security
diff --git a/spec/services/projects/download_service_spec.rb b/spec/services/projects/download_service_spec.rb
index 0f743eaa7f55c91aaff2dde1d2cf7206da2ffb7b..7d4fce814f5c27185e88d1f4cf5f99834896406c 100644
--- a/spec/services/projects/download_service_spec.rb
+++ b/spec/services/projects/download_service_spec.rb
@@ -20,8 +20,9 @@
 
     context 'for URLs that are on the whitelist' do
       before do
-        stub_request(:get, 'http://mycompany.fogbugz.com/rails_sample.jpg').to_return(body: File.read(Rails.root + 'spec/fixtures/rails_sample.jpg'))
-        stub_request(:get, 'http://mycompany.fogbugz.com/doc_sample.txt').to_return(body: File.read(Rails.root + 'spec/fixtures/doc_sample.txt'))
+        # `ssrf_filter` resolves the hostname. See https://github.com/carrierwaveuploader/carrierwave/commit/91714adda998bc9e8decf5b1f5d260d808761304
+        stub_request(:get, %r{http://[\d\.]+/rails_sample.jpg}).to_return(body: File.read(Rails.root + 'spec/fixtures/rails_sample.jpg'))
+        stub_request(:get, %r{http://[\d\.]+/doc_sample.txt}).to_return(body: File.read(Rails.root + 'spec/fixtures/doc_sample.txt'))
       end
 
       context 'an image file' do