Visit Rails NES Home Page

Rails 3.2.x Release Notes

Comprehensive release notes and changelog for Rails 3.2.x, including security patches, bug fixes, and feature updates across all supported versions.

37 Patched Vulnerabilities
VEX Statements

3.2.22.50

Bug Fixes

  • CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
  • CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection

Rack 1.4.7.27

Bug Fixes

  • Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). This change has no security implications.

Rack 1.4.7.26

Bug Fixes

  • CVE-2025-61919: Rack::Request#POST reads the entire request body into memory for Content-Type:application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
  • CVE-2025-61780: A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Rack 1.4.7.25

Bug Fixes

  • CVE-2025-61770: Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
  • CVE-2025-61771: Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
  • CVE-2025-61772: Rack::Multipart::Parser can accumulate unbounded data when a multipart part's header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

3.2.22.49

Rack 1.4.7.24

  • CVE-2025-49007: There is a denial of service vulnerability in the Content-Disposition parsing component of Rack.

Notes

  • This is the initial release of the NES Rails 3.2.x series. It also includes the release of NES for Rack v1.4.7.23.

Bug Fixes

  • CVE-2025-46727 (rack) - Unbounded-Parameter DoS in Rack::QueryParser
  • CVE-2025-32441 (rack) - Session Reuse in Rack::Session::Pool
  • CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
  • CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
  • CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
  • CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
  • CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting vulnerability via user-supplied values to redirect_to.
  • CVE-2016-2098 (actionpack) – Fixed a remote code execution vulnerability via ActionPack's unrestricted use of the render method.
  • CVE-2016-0751 (actionpack) – Fixed a denial of service vulnerability via a crafted HTTP Accept header in ActionPack.
  • CVE-2021-22885 (actionpack) – Fixed an information disclosure/unintended method execution vulnerability in ActionPack.
  • CVE-2015-7576 (actionpack) – Fixed a remote bypass authentication vulnerability in ActionPack.
  • CVE-2023-22792 (actionpack) – Fixed a ReDoS-based DoS vulnerability in ActionDispatch.
  • CVE-2016-2097 (actionpack) – Fixed a path traversal vulnerability in ActionView.
  • CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in ActionDispatch.
  • CVE-2016-0752 (actionpack) – Fixed a directory traversal vulnerability in ActionView.
  • CVE-2022-32224 (activerecord) – Fixed an Active Record RCE bug with serialized columns.
  • CVE-2022-44566 (activerecord) – Fixed a denial of service vulnerability in ActiveRecord's PostgreSQL adapter.
  • CVE-2015-7577 (activerecord) – Fixed improper access control in ActiveRecord.
  • CVE-2020-8151 (activeresource) – Fixed an information disclosure issue in ActiveResource.
  • CVE-2023-22796 (activesupport) – Fixed a ReDoS-based DoS vulnerability in ActiveSupport's underscore.
  • CVE-2023-28120 (activesupport) – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
  • CVE-2020-5267 (actionview) – Fixed a cross-site scripting vulnerability in ActionView.
  • CVE-2020-15169 (actionview) – Fixed an XSS vulnerability in ActionView.
  • CVE-2022-27777 (actionview) – Fixed an XSS vulnerability in ActionView tag helpers.
  • CVE-2020-8163 (actionview) – Fixed remote code execution via user-provided local names in ActionView.
  • CVE-2016-6316 (actionview) – Fixed a cross-site scripting (XSS) vulnerability in ActionView.
  • CVE-2016-2097 (actionview) – Fixed a path traversal vulnerability in ActionView.
  • CVE-2019-16782 (rack) - Fixed a possible Information Leak / Session Hijack Vulnerability in Rack
  • CVE-2024-26146 (rack) - Fixed Rack Header Parsing leads to Possible Denial of Service Vulnerability