207 Rails 6.1 LTS Changelog

October 20th 2025, Rails version 6.1.7.33

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.20.11.

October 20th 2025, Rack version 2.2.20.11

• Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). Has no security implications.

October 13th 2025, Rails version 6.1.7.32

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.20.10.

October 13th 2025, Rack version 2.2.20.10

• Merged upstream updates to Rack to address an DOS vulnerability CVE-2025-61919 and a potential information disclosure CVE-2025-61780. Read the announcement Show archive.org snapshot

October 9th 2025, Rails version 6.1.7.31

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.19.10.

October 9th 2025, Rack version 2.2.19.10

• Merged upstream updates to Rack to address DOS vulnerabilities CVE-2025-61770, CVE-2025-61771, and CVE-2025-61772. Read the announcement Show archive.org snapshot

October 1st 2025, Rails version 6.1.7.30

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.18.10.

October 1st 2025, Rack version 2.2.18.10

• Backported updates to Rack that address CVE-2025-59830. It was not affected in the first place, but we updated nonetheless. Read the announcement Show archive.org snapshot .

August 14th 2025, Rails version 6.1.7.29

• Backported fixes for two vulnerabilies. Read the announcement Show archive.org snapshot . This includes:

  • Dangerous transformation methods in ActiveStorage (CVE-2025-24293)
  • ANSI injection in ActiveRecord logging (CVE-2025-55193)

• Backported a (non-CVE) fix to ActionCable logging, to filter sensitive parameters.

June 6th 2025, Rails version 6.1.7.28

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.17.10.

June 6th 2025, Rack version 2.2.17.10

• Merged upstream changes from Rack 2.2.17.
• Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement Show archive.org snapshot .

May 9th 2025, Rails version 6.1.7.27

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.14.10.

May 9th 2025, Rack version 2.2.14.10

• Merged upstream changes from Rack 2.2.14. Read the announcement Show archive.org snapshot . This includes fixes for
  • Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727)
  • Session Reuse in Rack::Session::Pool (CVE-2025-32441)

March 13th 2025, Rails version 6.1.7.26

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.13.10.

March 13th, 2025, Rack version 2.2.13.10

• Fixed CVE-2025-27610: Local File Inclusion in Rack::Static. Read the announcement Show archive.org snapshot

March 11th, Rails version 6.1.7.25

• Removed the railslts-version gem. Read the announcement Show archive.org snapshot
• No security updates.

March 6th 2025, Rails version 6.1.7.24

• No changes in Rails.
• Bumped Rack version requirement to version 2.2.12.10.

March 6th 2025, Rack version 2.2.12.10

• Fixed CVE-2025-27111: Possible Log Injection in Rack

February 21st, Rails version 6.1.7.23

• Bugfix: Require 'logger' library before use. This fixes a crash when upgrading to a newer version of the concurrenty-ruby gem.

February 21st, Rails version 6.1.7.22

• No changes in Rails.
• Bumped required Rack version to 2.2.11.10.

February 21st 2025, Rack version 2.2.11.10

• Fixed [CVE-2025-25184]: Possible Log Injection in Rack::CommonLogger

Dezember 11th 2024, Rails version 6.1.7.21

• Fixed CVE-2024-54133, a vulnerability that allows to bypass the Content Security Policy configuration in Rails' ActionDispatch. Read the announcement Show archive.org snapshot .

October 17th 2024, Rails version 6.1.7.20

• Fixed ReDoS vulnerabilities CVE-2024-41128, CVE-2024-47887, CVE-2024-47888, and CVE-2024-47889. Read the announcement Show archive.org snapshot .

Sep 18th, 2024: Version 6.1.7.19

• Reverted a dev-only bug fix breaking for users of older versions of the "listen" gem.

Sep 18th, 2024: Version 6.1.7.18

• Initial release of the LTS version of Rails 6.1.
• This is mostly identical to the latest official 6.1 release (6.1.7.8) plus some compatible and non-essential bug fixes.
• Supports Ruby 2.5, 2.7, 3.1 and 3.3
• Added monkey patches to address ReDoS vulnerabilities in the time stdlib on old Ruby versions (CVE-2023-28756), see here Show archive.org snapshot for more details (the uri changes can be solved by updating the "uri" gem)
• Bump dependencies on rack, trix and rails-html-sanitizer to versions without known security vulnerabilities.
• (Skipped 10 tiny versions to version .18 to stay ahead of any official 6.1.7.x community releases.)