211 Using strings in polymorphic helpers / CVE-2021-22885

String elements in polymorphic route arrays can trigger unexpected helper calls and leak secrets; Rails LTS blocks them by default, with an opt-out for compatibility.

250 Security standards and practices

Rails LTS security handling relies on public disclosure, multi-person patch review, tests, restricted access, and hardened infrastructure for vulnerable versions.

280 Support for modern Ruby versions up to Ruby 3.3

Rails LTS works with Ruby 3.3 and below, but upgrading Ruby still needs manual fixes for gems, keyword arguments, YAML loading, and standard-library changes.

290 Ruby 2.7 support for Rails 2.3 LTS

Legacy Rails apps on Ruby 2.7 often need code and gem fixes despite Rails 2.3 LTS compatibility; test coverage and gem upgrades reduce upgrade risk.

291 Ruby 2.7 support for Rails 3.2 LTS

Rails 3.2 LTS can run on Ruby 2.7 without Rails monkey patches, but application code and gems may still need compatibility fixes during upgrade.

303 Backported patches for legacy Ruby versions

Security backports for legacy Ruby releases address OpenSSL hostname verification and floating-point parsing vulnerabilities in Ruby 1.8.7 and 1.9.3.

310 rspec-rails 1.3 compatibility fork for Rails LTS 2.3

Rails LTS 2.3 can break render_template expectations in controller specs because of rspec-rails 1.x monkey-patching. A compatibility fork of rspec-rails 1.3 restores the behavior.

311 rspec-rails 2.14 compatibility fork for Rails 3.2 LTS

Rails 3.2 LTS can break RSpec 2 controller specs with NoMethodError: undefined method [] for nil:NilClass; a compatibility fork of rspec-rails 2.14 restores them.

401 [CVE-2018-15578] Denial of Service vulnerability in Rails 3.2 LTS (Active Record)

ReDoS in Rails LTS Active Record can let crafted requests burn excessive CPU time when user input reaches queries using .includes, especially on large POST bodies.

Change to ActiveRecord deserialization (CVE-2022-32224)

Rails LTS switches ActiveRecord YAML deserialization to YAML.safe_load to reduce remote code execution risk from poisoned serialized columns; unsupported classes may now raise exceptions.

Installation instructions for rails-ujs or jquery-ujs

Security-fixed forked packages replace vulnerable rails-ujs and jquery-ujs installs after CVE-2023-23913, with NPM and Git-based gem options for Rails apps.

Rack has been added to Rails LTS

Rack is now a core gem of Rails LTS, with maintained patched versions for supported Ruby and Rails releases; upgrading via the LTS gem server is recommended.

Ruby 3.1 support for Rails LTS

Rails LTS now supports Ruby 3.1, but upgrades can break on removed stdlib APIs, YAML loading changes, and keyword-argument handling.