Rails 6.1 LTS Changelog

April 23rd 2026, Rails version 6.1.7.37

• Backported a patch for CVE-2026-41316
• Fixed a bug for CVE-2022-44566
• Read the announcement Show archive.org snapshot

April 2nd 2026, Rails version 6.1.7.36

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.23.10.

April 2nd 2026, Rack version 2.2.23.10

• Backported fix for CVE-2026-34763 — Possible leak of root directory name in Rack::Directory
• Backported fix for CVE-2026-34230 — Denial of Service in Rack when using Rack::Deflater middleware
• Backported fix for CVE-2026-26961 — Non-RFC-conformant handling of Multipart request boundaries
• Backported fix for CVE-2026-34786 — Possible Incorrect setting of HTTP headers in Rack::Static
• Backported fix for CVE-2026-34831 — Possible Invalid Content-Length header in Rack::Files
• Backported fix for CVE-2026-34826 — Possible Denial of Service in Rack handling of Range headers
• Backported fix for CVE-2026-34835 — Missing validation of RFC-conformity of Host Header
• Backported fix for CVE-2026-34830 — Incorrect handling of X-Accel-Mapping in Rack::SendFile
• Backported fix for CVE-2026-34785 — Possible directory traversal in Rack::Static
• Backported fix for CVE-2026-34829 — Possible Denial of Service for multipart requests
• Backported fix for CVE-2026-26962 — Possible mishandling of filenames in multipart requests
• Read the announcement Show archive.org snapshot

March 24th 2026, Rails version 6.1.7.35

• Backported fix for CVE-2026-33168 — XSS in tag helper.
• Backported fix for CVE-2026-33169 — ReDoS in ActiveSupport.
• Backported fix for CVE-2026-33170 — XSS in SafeBuffer.
• Backported fix for CVE-2026-33173 — Insufficient filtering in ActiveStorage.
• Backported fix for CVE-2026-33176 — DoS in ActiveSupport.
• Backported fix for CVE-2026-33195 — Path Traversal in ActiveStorage.
• Backported fix for CVE-2026-33202 — Glob injection in ActiveStorage.
• Read the announcement Show archive.org snapshot
  • Note that the announcement mistakenly states that [CVE-2026-33174] and [CVE-2026-33658] were fixed in Rails LTS. Instead, they do not affect Rails LTS.

February 19th 2026, Rails version 6.1.7.34

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.22.10.

February 19th 2026, Rack version 2.2.22.10

• Merged upstream fix for XSS vulnerability CVE-2026-25500 in Rack::Directory. Read the announcement Show archive.org snapshot .
• Merged upstream fix for Directory Traversal vulnerability CVE-2026-22860 in Rack::Directory. Read the announcement Show archive.org snapshot .

October 20th 2025, Rails version 6.1.7.33

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.20.11.

October 20th 2025, Rack version 2.2.20.11

• Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). Has no security implications.

October 13th 2025, Rails version 6.1.7.32

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.20.10.

October 13th 2025, Rack version 2.2.20.10

• Merged upstream updates to Rack to address an DOS vulnerability CVE-2025-61919 and a potential information disclosure CVE-2025-61780. Read the announcement Show archive.org snapshot

October 9th 2025, Rails version 6.1.7.31

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.19.10.

October 9th 2025, Rack version 2.2.19.10

• Merged upstream updates to Rack to address DOS vulnerabilities CVE-2025-61770, CVE-2025-61771, and CVE-2025-61772. Read the announcement Show archive.org snapshot

October 1st 2025, Rails version 6.1.7.30

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.18.10.

October 1st 2025, Rack version 2.2.18.10

• Backported updates to Rack that address CVE-2025-59830. It was not affected in the first place, but we updated nonetheless. Read the announcement Show archive.org snapshot .

August 14th 2025, Rails version 6.1.7.29

• Backported fixes for two vulnerabilies. Read the announcement Show archive.org snapshot . This includes:

  • Dangerous transformation methods in ActiveStorage (CVE-2025-24293)
  • ANSI injection in ActiveRecord logging (CVE-2025-55193)

• Backported a (non-CVE) fix to ActionCable logging, to filter sensitive parameters.

June 6th 2025, Rails version 6.1.7.28

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.17.10.

June 6th 2025, Rack version 2.2.17.10

• Merged upstream changes from Rack 2.2.17.
• Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement Show archive.org snapshot .

May 9th 2025, Rails version 6.1.7.27

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.14.10.

May 9th 2025, Rack version 2.2.14.10

• Merged upstream changes from Rack 2.2.14. Read the announcement Show archive.org snapshot . This includes fixes for
  • Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727)
  • Session Reuse in Rack::Session::Pool (CVE-2025-32441)

March 13th 2025, Rails version 6.1.7.26

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.13.10.

March 13th, 2025, Rack version 2.2.13.10

• Fixed CVE-2025-27610: Local File Inclusion in Rack::Static. Read the announcement Show archive.org snapshot

March 11th, Rails version 6.1.7.25

• Removed the railslts-version gem. Read the announcement Show archive.org snapshot
• No security updates.

March 6th 2025, Rails version 6.1.7.24

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.12.10.

March 6th 2025, Rack version 2.2.12.10

• Fixed CVE-2025-27111: Possible Log Injection in Rack

February 21st, Rails version 6.1.7.23

• Bugfix: Require 'logger' library before use. This fixes a crash when upgrading to a newer version of the concurrenty-ruby gem.

February 21st, Rails version 6.1.7.22

• No changes in Rails.
• Bumped required Rack version to 2.2.11.10.

February 21st 2025, Rack version 2.2.11.10

• Fixed [CVE-2025-25184]: Possible Log Injection in Rack::CommonLogger

Dezember 11th 2024, Rails version 6.1.7.21

• Fixed CVE-2024-54133, a vulnerability that allows to bypass the Content Security Policy configuration in Rails' ActionDispatch. Read the announcement Show archive.org snapshot .

October 17th 2024, Rails version 6.1.7.20

• Fixed ReDoS vulnerabilities CVE-2024-41128, CVE-2024-47887, CVE-2024-47888, and CVE-2024-47889. Read the announcement Show archive.org snapshot .

Sep 18th, 2024: Version 6.1.7.19

• Reverted a dev-only bug fix breaking for users of older versions of the "listen" gem.

Sep 18th, 2024: Version 6.1.7.18

• Initial release of the LTS version of Rails 6.1.
• This is mostly identical to the latest official 6.1 release (6.1.7.8) plus some compatible and non-essential bug fixes.
• Supports Ruby 2.5, 2.7, 3.1 and 3.3
• Added monkey patches to address ReDoS vulnerabilities in the time stdlib on old Ruby versions (CVE-2023-28756), see here Show archive.org snapshot for more details (the uri changes can be solved by updating the "uri" gem)
• Bump dependencies on rack, trix and rails-html-sanitizer to versions without known security vulnerabilities.
• (Skipped 10 tiny versions to version .18 to stay ahead of any official 6.1.7.x community releases.)