October 20th 2025, Rails version 5.2.8.37
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.20.11.
October 20th 2025, Rack version 2.2.20.11
- Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). Has no security implications.
October 13th 2025, Rails version 5.2.8.36
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.20.10.
October 13th 2025, Rack version 2.2.20.10
- Merged upstream updates to Rack to address an DOS vulnerability CVE-2025-61919 and a potential information disclosure CVE-2025-61780. Read the announcement Show archive.org snapshot
October 9th 2025, Rails version 5.2.8.35
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.19.10.
October 9th 2025, Rack version 2.2.19.10
- Merged upstream updates to Rack to address DOS vulnerabilities CVE-2025-61770, CVE-2025-61771, and CVE-2025-61772. Read the announcement Show archive.org snapshot
October 1st 2025, Rails version 5.2.8.34
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.18.10.
October 1st 2025, Rack version 2.2.18.10
- Backported updates to Rack that address CVE-2025-59830. It was not affected in the first place, but we updated nonetheless. Read the announcement Show archive.org snapshot .
August 14th 2025, Rails version 5.2.8.33
- 
Backported fixes for two vulnerabilies. Read the announcement Show archive.org snapshot . This includes: - Dangerous transformation methods in ActiveStorage (CVE-2025-24293)
- ANSI injection in ActiveRecord logging (CVE-2025-55193)
 
- 
Backported a (non-CVE) fix to ActionCable logging, to filter sensitive parameters. 
June 6th 2025, Rails version 5.2.8.32
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.17.10.
June 6th 2025, Rack version 2.2.17.10
- Merged upstream changes from Rack 2.2.17.
- Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement Show archive.org snapshot .
May 9th 2025, Rails version 5.2.8.31
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.14.10.
May 9th 2025, Rack version 2.2.14.10
- Merged upstream changes from Rack 2.2.14. 
  Read the announcement
  
    Show archive.org snapshot
  
. This includes fixes for
- Unbounded-Parameter DoS in Rack::QueryParser (CVE-2025-46727)
- Session Reuse in Rack::Session::Pool (CVE-2025-32441)
 
March 13th 2025, Rails version 5.2.8.30
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.13.10.
March 13th, 2025, Rack version 2.2.13.10
- Fixed CVE-2025-27610: Local File Inclusion in Rack::Static. Read the announcement Show archive.org snapshot
March 11th, Rails version 5.2.8.29
- Removed the railslts-versiongem. Read the announcement Show archive.org snapshot
- No security updates.
March 6th 2025, Rails version 5.2.8.28
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.12.10.
March 6th 2025, Rack version 2.2.12.10
- Fixed CVE-2025-27111: Possible Log Injection in Rack
February 21th 2025, Rails version 5.2.8.27
- No changes in Rails.
- Bumped Rack version requirement to version 2.2.11.10.
February 21th 2025, Rack version 2.2.11.10
- Fixed CVE-2025-25184: Possible Log Injection in Rack::CommonLogger
Dezember 11th 2024, Rails version 5.2.8.26
- Fixed CVE-2024-54133, a vulnerability that allows to bypass the Content Security Policy configuration in Rails' ActionDispatch. Read the announcement Show archive.org snapshot .
October 17th 2024, Rails version 5.2.8.25
- Fixed ReDoS vulnerabilities CVE-2024-41128, CVE-2024-47887, and CVE-2024-47889. Read the announcement Show archive.org snapshot .
Sep 18th 2024, Rack version 2.2.9.10
- Merged upstream bug fixes from Rack 2.2.9.
May 14th 2024, Rails version 5.2.8.24
- Added support for Ruby 3.3. See our upgrade guide.
- (There is no release of Rack, version 2.2.8.10 is already compatible with Ruby 3.3.)
Feb 23rd 2024, Rack version 2.2.8.10
- Fixed DoS vulnerabilities CVE-2024-25126 and CVE-2024-26141, see here Show archive.org snapshot for more details.
- Merged several upstream bug fixes from Rack 2.2.8.
Oct 18th 2023, Rails version 5.2.8.23
- Fixed a bug for Ruby 3.1, where it was not possible to use scopes or class methods on scopes with keyword arguments.
Aug 23rd 2023, Rails version 5.2.8.22
- Fixed a possible local file disclosure of encrypted files (CVE-2023-38037), see here Show archive.org snapshot for more details
Jun 27th 2023, Rails version 5.2.8.21
- Fixed a possible XSS vulnerability via User Supplied Values to redirect_to (CVE-2023-28362), see here Show archive.org snapshot for more details
Apr 11th 2023, Rails version 5.2.8.19
- Fixed an issue with migrations on Ruby 3.1 when using code of the form
This could also cause weird columns to appear in thechange_table do |t| t.integer :size, default: 0 # works t.integer :count, { default: 0 } # would create an additional column named "{default => 0}" endschema_migrationsorar_internal_metadatatables when creating a new database.
Apr 4th 2023, Rack version 2.2.6.14
- Backported non-security fixes from upstream Rack 2.2.5 and 2.2.6. Changes are
- Extend Rack::MethodOverrideto handleQueryParser::ParamsTooDeepErrorerror.
- 
Rack::URLMapuses non-deprecated form ofRegexp.new.
 
- Extend 
Apr 4th 2023, Rails version 5.2.8.18
- Added monkey patches to address ReDoS vulnerabilities in the timeanduristdlibs (CVE-2023-28755, CVE-2023-28756), see here Show archive.org snapshot for more details
Mar 14th 2023: Rails version 5.2.8.17
- Fixed XSS issue CVE-2023-28120 with SafeBuffer#bytesplice(only on Ruby 3.2, which is not currently supported), see here Show archive.org snapshot for more details.
- Fixed possible XSS issue CVE-2023-23913 in bundled rails-ujs, see here Show archive.org snapshot for more details. We also provided patched NPM packages, see here Show archive.org snapshot for more details.
Mar 14th 2023: Rack version 2.2.4.13
- Backported fix for DOS vulnerability CVE-2023-27539, see here Show archive.org snapshot for more details.
Mar 3rd, 2023: Rack version 2.2.4.12
- Backported fix for [CVE-2023-27530] to address a potential DOS attack with rack multipart requests.
- See here Show archive.org snapshot for additional details and a potential breaking change.
Jan 24th, 2023: Rails version 5.2.8.16
- Bugfix for an issue with cookie domains introduced by [CVE-2023-22792]. Please read the details Show archive.org snapshot if you had 5.2.8.15 running in production.
Jan 20th, 2023: Rails version 5.2.8.15
- Fixed multiple ReDoS vulnerabilities in Rails: [CVE-2023-22792], [CVE-2023-22796], [CVE-2023-22795]
- Fixed a DOS vulnerability in the PostgreSQL adapter for ActiveRecord [CVE-2022-44566]
- ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using
config.active_record.raise_int_wider_than_64bit = false
 
- ActiveRecord will now throw an exception, if you pass an integer > 64bit. You can opt out using
- Added a monkey patch to fix a ReDoS vulnerability in globalid [CVE-2023-22799]
- See here Show archive.org snapshot for more details
Jan 20th, 2023: Rack version 2.2.4.11
- Fixed multiple ReDos vulnerabilites in Rack: [CVE-2022-44570], [CVE-2022-44571], [CVE-2022-44572]
- See here Show archive.org snapshot for more details
Dec 16th, 2022: Rails version 5.2.8.14
- Backported fix for CVE-2022-3704. This is an XSS vulnerability that only applies to development and not an actual security problem.
Dec 13th, 2022: Rails version 5.2.8.13
Dec 13th, 2022: Rack version 2.2.4.10
- Based on our fork of rack.
- Added support for Ruby 2.2
- Added support for Ruby 3.1.
- Includes fixes for CWE-444.
- More info
Jul 21st, 2022: Version 5.2.8.12
- Updated required tzinfo version to address CVE-2022-31163; see details Show archive.org snapshot
Jul 14th, 2022: Version 5.2.8.11
- Merged upstream bug fix for [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record. We tried to make it less of a breaking change than the official patch by adding a default set of permitted serializable classes. see details
May 18th, 2022: Version 5.2.8.10
- Merged upstream bug fix for recent security fix for CVE-2022-27777 and improved it; see details Show archive.org snapshot .
Apr 27th, 2022: Version 5.2.7.11
- Merged upstream fixes for CVE-2022-22577 and CVE-2022-27777, to include CSP headers on all all responses, and fixing possible XSS vulnerabilities via content_tagortaghelpers; see details Show archive.org snapshot .
Mar 12th, 2022: Version 5.2.7.10
- Merged upstream fix for loading image processing arguments with incorrect order. see here Show archive.org snapshot
Mar 09th, 2022: Version 5.2.6.12
- Merged upstream fix for CVE-2022-21831, which fixes a potential code injection vulnerability in ActiveStorage by adding an allowlist to image processing methods, in case user input is passed to the #variantmethod. see here Show archive.org snapshot
Feb 12th, 2022: Version 5.2.6.11
- Merged upstream fix for CVE-2022-23633, addressing potential cross-request information leakage in Action Pack. see here Show archive.org snapshot
Dec 09th, 2021: Version 5.2.6.10
- Initial release of the LTS version of Rails 5.2.
- This is identical to the official 5.2.6 release, except for the additional Rails LTS hardening config. This config currently has no effect but might be used for future fixes (in which case the advisory will point that out).
- Supports Ruby 2.2, 2.5, and 2.7.
- (Skipped to version .10 to avoid collision with a potential future 5.2.6.1 community release.)
Posted by Tobias Kraze to Rails LTS documentation (2021-12-09 12:28)