Visit Rails NES Home Page
Rails 3.2.x Release Notes
Comprehensive release notes and changelog for Rails 3.2.x, including security patches, bug fixes, and feature updates across all supported versions.
37 Patched Vulnerabilities
VEX Statements
3.2.22.50
Bug Fixes
- CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
- CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection
Rack 1.4.7.27
Bug Fixes
- Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). This change has no security implications.
Rack 1.4.7.26
Bug Fixes
- CVE-2025-61919:
Rack::Request#POSTreads the entire request body into memory forContent-Type:application/x-www-form-urlencoded, callingrack.input.read(nil)without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. - CVE-2025-61780: A possible information disclosure vulnerability existed in
Rack::Sendfilewhen running behind a proxy that supportsx-sendfileheaders (such as Nginx). Specially crafted headers could causeRack::Sendfileto miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
Rack 1.4.7.25
Bug Fixes
- CVE-2025-61770:
Rack::Multipart::Parserbuffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. - CVE-2025-61771:
Rack::Multipart::Parserstores non-file form fields (parts without afilename) entirely in memory as RubyStringobjects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). - CVE-2025-61772:
Rack::Multipart::Parsercan accumulate unbounded data when a multipart part's header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
3.2.22.49
Rack 1.4.7.24
- CVE-2025-49007: There is a denial of service vulnerability in the Content-Disposition parsing component of Rack.
Notes
- This is the initial release of the NES Rails 3.2.x series. It also includes the release of NES for Rack v1.4.7.23.
Bug Fixes
- CVE-2025-46727 (rack) - Unbounded-Parameter DoS in Rack::QueryParser
- CVE-2025-32441 (rack) - Session Reuse in Rack::Session::Pool
- CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
- CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
- CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
- CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
- CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting vulnerability via user-supplied values to redirect_to.
- CVE-2016-2098 (actionpack) – Fixed a remote code execution vulnerability via ActionPack's unrestricted use of the render method.
- CVE-2016-0751 (actionpack) – Fixed a denial of service vulnerability via a crafted HTTP Accept header in ActionPack.
- CVE-2021-22885 (actionpack) – Fixed an information disclosure/unintended method execution vulnerability in ActionPack.
- CVE-2015-7576 (actionpack) – Fixed a remote bypass authentication vulnerability in ActionPack.
- CVE-2023-22792 (actionpack) – Fixed a ReDoS-based DoS vulnerability in ActionDispatch.
- CVE-2016-2097 (actionpack) – Fixed a path traversal vulnerability in ActionView.
- CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in ActionDispatch.
- CVE-2016-0752 (actionpack) – Fixed a directory traversal vulnerability in ActionView.
- CVE-2022-32224 (activerecord) – Fixed an Active Record RCE bug with serialized columns.
- CVE-2022-44566 (activerecord) – Fixed a denial of service vulnerability in ActiveRecord's PostgreSQL adapter.
- CVE-2015-7577 (activerecord) – Fixed improper access control in ActiveRecord.
- CVE-2020-8151 (activeresource) – Fixed an information disclosure issue in ActiveResource.
- CVE-2023-22796 (activesupport) – Fixed a ReDoS-based DoS vulnerability in ActiveSupport's underscore.
- CVE-2023-28120 (activesupport) – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
- CVE-2020-5267 (actionview) – Fixed a cross-site scripting vulnerability in ActionView.
- CVE-2020-15169 (actionview) – Fixed an XSS vulnerability in ActionView.
- CVE-2022-27777 (actionview) – Fixed an XSS vulnerability in ActionView tag helpers.
- CVE-2020-8163 (actionview) – Fixed remote code execution via user-provided local names in ActionView.
- CVE-2016-6316 (actionview) – Fixed a cross-site scripting (XSS) vulnerability in ActionView.
- CVE-2016-2097 (actionview) – Fixed a path traversal vulnerability in ActionView.
- CVE-2019-16782 (rack) - Fixed a possible Information Leak / Session Hijack Vulnerability in Rack
- CVE-2024-26146 (rack) - Fixed Rack Header Parsing leads to Possible Denial of Service Vulnerability