List of CVEs addressed by Rails LTS

This is a list of known CVEs relevant for Rails LTS 2.3+. All CVEs are fixed in all versions of Rails LTS (or may not affect some versions). If a versions of Rails LTS is not mentioned, the fix was already done in an official release Ruby on Rails release, and is therefore also part of Rails LTS.

  • XSS vulnerability in the translate helper method in Ruby on Rails

    • Fixed in 2.3 LTS.
  • Possible XSS Security Vulnerability in SafeBuffer#[]

    • Rails 2.3 with up to date versions of the rails_xss plugin is not affected.
  • CVE-2012-1099

    • Fixed in 2.3 LTS.
  • CVE-2012-2660

    • Rails 2.3 is not affected.
  • CVE-2012-2661

    • Rails 2.3 is not affected.
  • CVE-2012-2694

    • Rails 2.3 is not affected.
  • CVE-2012-2695

    • Fixed in 2.3 LTS.
  • CVE-2012-3424

    • Rails 2.3 is not affected.
  • CVE-2012-3463

    • Rails 2.3 is not affected.
  • CVE-2012-3464

    • Fixed in 2.3 LTS.
  • CVE-2012-3465

    • Fixed in 2.3 LTS.
  • CVE-2012-5664 (a.k.a. CVE-2012-6496)

    • Fixed in 2.3 LTS.
  • CVE-2013-0155

    • Fixed in 2.3 LTS.
  • CVE-2013-0156

    • Fixed in 2.3 LTS.
  • CVE-2013-0276

    • Fixed in 2.3 LTS.
  • CVE-2013-0277

    • Fixed in 2.3 LTS.
  • CVE-2013-1855

    • Fixed in 2.3 LTS.
  • CVE-2013-1856

    • This is not fixed in 2.3 LTS, since Rails LTS does not support jRuby.
  • CVE-2013-1857

    • Fixed in 2.3 LTS.
  • CVE-2013-1854

    • Fixed in 2.3 LTS.
  • CVE-2013-3221

  • CVE-2013-4491

    • Rails 2.3 is not affected.
  • CVE-2013-6414

    • Rails 2.3 is not affected.
  • CVE-2013-6415

    • Fixed in 2.3 LTS.
  • CVE-2013-6417

    • Fixed in 2.3 LTS.
  • CVE-2013-6416

    • Rails 2.3 is not affected.
  • CVE-2014-0080

    • Rails 2.3 is not affected.
  • CVE-2014-0081

    • Fixed in 2.3 LTS.
  • CVE-2014-0082

    • Rails 2.3 is not affected.
  • CVE-2014-0130

    • Fixed in 2.3 LTS.
  • CVE-2014-3482

    • Fixed in 2.3 LTS.
  • CVE-2014-3483

    • Rails 2.3 is not affected.
  • CVE-2014-3514

    • Rails 2.3 is not affected.
  • CVE-2014-7818

    • Fixed in 2.3 LTS.
  • CVE-2014-7829

    • Rails 2.3 is not affected.
  • CVE-2015-1840

    • Rails 2.3 is not affected.
  • CVE-2015-3224

    • Rails 2.3 is not affected.
      use ActionDispatch::Executor
  • CVE-2015-3226

    • Rails 2.3 is not affected.
  • CVE-2015-3227

    • Fixed in 2.3 LTS.
  • Start of support for Rails 3.2 LTS. Earlier CVEs are all addressed.

  • CVE-2015-7576

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7577

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2015-7578

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7579

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7580

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2015-7581

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0751

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-0752

    • Rails 2.3 is not affected.
    • Fixed in 3.2 LTS.
  • CVE-2016-0753

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2097

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-2098

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6316

    • Rails 2.3 is not affected. A variant of this is fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
  • CVE-2016-6317

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-8048

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-3760

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16468

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
  • CVE-2018-16471

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
  • Start of support for Rails 4.2 LTS. Earlier CVEs are all addressed.

  • CVE-2018-16476

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Fixed in 4.2 LTS.
  • CVE-2018-16477

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-5418

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5419

    • Fixed in 2.3 LTS.
    • Fixed in 3.2 LTS.
    • Fixed in 4.2 LTS.
  • CVE-2019-5420

    • Rails 2.3 is not affected.
    • Rails 3.2 is not affected.
    • Rails 4.2 is not affected.
  • CVE-2019-16782 / CVE-2019-25025

  • CVE-2020-5267

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-10663

    • Vulnerability is not part of Rails LTS. We advise users to upgrade to json 2.3.0 or later.
    • For users who are unable to upgrade we have released a workaround Show archive.org snapshot that will patch your json gem against this vulnerability.
  • CVE-2020-8130

  • CVE-2020-8151

  • CVE-2020-8159

  • CVE-2020-8161

    • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in the Rails 4.2 LTS's version of Rack.
  • CVE-2020-8162

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8163

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2020-8164

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8165

  • CVE-2020-8166

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8167

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2020-8184

    • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in the Rails 4.2 LTS's version of Rack.
  • CVE-2020-15169

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
  • CVE-2021-22880

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Fixed in Rails 4.2 LTS.
  • CVE-2021-22881

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2021-22885

  • CVE-2021-22902

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2021-22903

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
  • CVE-2021-22904

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Fixed in Rails 4.2 LTS.
  • Start of support for Rails 5.2 LTS. Earlier CVEs are all addressed.

  • CVE-2022-3704

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-23633

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-21831

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-22577

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-27777

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-30122

    • Fixed in the Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in the Rails 4.2 LTS's version of Rack.
    • The Rails 5.2 LTS's version of Rack is not affected.
  • CVE-2022-30123

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • The Rails 5.2 LTS's version of Rack is not affected.
  • CVE-2022-31163

    • Vulnerability is part of tzinfo gem.
    • Updated required gem version in Rails 2.3 LTS.
    • Updated required gem version in Rails 3.2 LTS.
    • Updated required gem version in Rails 4.2 LTS.
    • Updated required gem version in Rails 5.2 LTS.
  • CVE-2022-32224

    • Note that this is not a vulnerability in itself, but allows attackers to escalate hypothetical other vulnerabilities ( see details Show archive.org snapshot
    • Fixed in Rails 2.3 LTS for Psych >= 2.0 (which requires Ruby >= 1.9)
    • Fixed in Rails 3.2 LTS for Psych >= 2.0 (which requires Ruby >= 1.9)
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-44566

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2022-44570

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2022-44571

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2022-44572

    • Does not affect Rails 2.3 / 3.2 LTS's version of Rack.
    • Does not affect Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2023-22792

    • Rails 2.3 LTS is not affected.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-22794

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2023-22795

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-22796

    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-22797

    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2023-22799

    • This affects the globalid gem. Fixed in globalid 1.0.1. Addtionally:
    • Does not affect Rails 2.3 LTS apps.
    • Does not affect Rails 3.2 LTS apps.
    • Rails 4.2 LTS includes a monkey-patch fixing this vulnerability.
    • Rails 5.2 LTS includes a monkey-patch fixing this vulnerability.
  • CVE-2023-23913

    • This affects the jquery-ujs / prototype-ujs / rails-ujs gems / npm packages which are not part of Rails LTS itself. We will try to provide a fix in the future.
    • Rails 2.3 LTS is not affected.
    • Unfixed for Rails 3.2 LTS when using the jquery-rails gem or jquery_ujs npm package.
    • Unfixed for Rails 4.2 LTS when using the jquery-rails gem or jquery_ujs npm package.
    • Fixed for Rails 5.2 LTS when using the bundled rails_ujs using the asset pipeline.
    • Unfixed for Rails 5.2 LTS when using the rails-ujs npm package.
  • CVE-2023-27530

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2023-27539

    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2023-28120

    • Rails 2.3 LTS is unaffected.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-28755

    • This is an issue in Ruby / the uri library.
    • Rails 2.3 LTS includes a monkey-patch.
    • Rails 3.2 LTS includes a monkey-patch.
    • Rails 4.2 LTS includes a monkey-patch.
    • Rails 5.2 LTS includes a monkey-patch.
  • CVE-2023-28756

    • This is an issue in Ruby / the time library.
    • Rails 2.3 LTS includes a monkey-patch.
    • Rails 3.2 LTS includes a monkey-patch.
    • Rails 4.2 LTS includes a monkey-patch.
    • Rails 5.2 LTS includes a monkey-patch.
  • CVE-2023-28362

    • This is a XSS issue in Rails' redirect_to method
    • Fixed in Rails 2.3 LTS.
    • Fixed in Rails 3.2 LTS.
    • Fixed in Rails 4.2 LTS.
    • Fixed in Rails 5.2 LTS.
  • CVE-2023-38037

    • This is an issue with ActiveSupport::EncryptedFile
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Fixed in Rails 5.2 LTS.
  • CVE-2024-25126

    • This is a ReDoS vulnerability in Rack.
    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2024-26141

    • This is a DoS vulnerability in Rack.
    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
  • CVE-2024-26142

    • This is a ReDoS vulnerability in ActionDispatch.
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2024-26143

    • This is an XSS vulnerabilty in ActionController.
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2024-26144

    • This is a session information leak in ActiveStorage.
    • Rails 2.3 LTS is not affected.
    • Rails 3.2 LTS is not affected.
    • Rails 4.2 LTS is not affected.
    • Rails 5.2 LTS is not affected.
  • CVE-2024-26146

    • This is a ReDoS vulnerability in Rack.
    • Fixed in Rails 2.3 / 3.2 LTS's version of Rack.
    • Fixed in Rails 4.2 LTS's version of Rack.
    • Fixed in Rails 5.2 LTS's version of Rack.
Tobias Kraze About 4 years ago