HeroDevs
Visit Rails NES Home Page

Rails 3.2.x Release Notes

3 versions

Changelog and Release Notes for the NES version of Rails 3.2

Mar 24, 2026
Latest: 3.2.22.51
117 Patched Vulnerabilities
VEX Statements

March 2026

3.2.22.51

Released Mar 24, 2026
CVE-2026-33168
CVE-2026-33176
CVE-2026-33169

Bug Fixes

Action View
Active Support

August 2025

3.2.22.50

Released Aug 20, 2025
CVE-2025-55193
CVE-2025-24293

Bug Fixes

Active Record
Active Storage

March 2025

3.2.22.49

Released Mar 17, 2025
CVE-2024-47889
CVE-2024-41128
CVE-2023-28362
CVE-2023-22792
CVE-2021-22885
18 More

Notes

  • This is the initial release of Never-Ending Support (NES) for Rails v3.2.x.
  • Removed the railslts-version gem.

Bug Fixes

Action Mailer
Action Pack
  • CVE-2024-41128 – Fixed a possible ReDoS vulnerability in query parameter filtering in ActionDispatch.
  • CVE-2023-28362 – Raise an exception if illegal characters are provide to redirect_to.
  • CVE-2023-22792 – Fixed a ReDoS-based DoS vulnerability in ActionDispatch.
  • CVE-2021-22885 – Fixed an information disclosure/unintended method execution vulnerability in ActionPack.
  • CVE-2020-8159 - Arbitrary file write/potential remote code execution attack.
  • CVE-2016-2098 – Fixed a remote code execution vulnerability via ActionPack's unrestricted use of the render method.
  • CVE-2016-0751 – Fixed a denial of service vulnerability via a crafted HTTP Accept header in ActionPack.
  • CVE-2015-7581 - Object leak vulnerability for wildcard controller routes.
  • CVE-2015-7576 – Fixed a remote bypass authentication vulnerability in ActionPack.
Action View
  • CVE-2022-27777 – Fixed an XSS vulnerability in ActionView tag helpers.
  • CVE-2020-15169 – Fixed an XSS vulnerability in ActionView.
  • CVE-2020-8163 – Fixed remote code execution via user-provided local names in ActionView.
  • CVE-2020-5267 – Fixed a cross-site scripting vulnerability in ActionView.
  • CVE-2016-6316 – Fixed a cross-site scripting (XSS) vulnerability in ActionView.
  • CVE-2016-2097 – Fixed a path traversal vulnerability in ActionView.
  • CVE-2016-0752 – Fixed a directory traversal vulnerability in ActionView.
Active Record
  • CVE-2022-44566 – Fixed a denial of service vulnerability in ActiveRecord's PostgreSQL adapter.
  • CVE-2022-32224 – Fixed an Active Record RCE bug with serialized columns.
  • CVE-2015-7577 – Fixed improper access control in ActiveRecord.
Active Resource
  • CVE-2020-8151 – Fixed an information disclosure issue in ActiveResource.
Active Support
  • CVE-2023-28120 – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
  • CVE-2023-22796 – Fixed a ReDoS-based DoS vulnerability in Active Support's underscore.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.