HeroDevs

Rails 3.2.x

NES Release Notes

3.2.22.50

Bug Fixes

  • CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
  • CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection

3.2.22.49

Rack Update

  • As of June 6th, 2025 in order to resolve CVE-2025-49007 this version now pulls in Rack v1.4.7.24

Notes

  • This is the initial release of the NES Rails 3.2.x series. It also includes the release of NES for Rack v1.4.7.23.

Bug Fixes

  • CVE-2025-46727 (rack) - Unbounded-Parameter DoS in Rack::QueryParser
  • CVE-2025-32441 (rack) - Session Reuse in Rack::Session::Pool
  • CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
  • CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
  • CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
  • CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
  • CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting vulnerability via user-supplied values to redirect_to.
  • CVE-2016-2098 (actionpack) – Fixed a remote code execution vulnerability via ActionPack's unrestricted use of the render method.
  • CVE-2016-0751 (actionpack) – Fixed a denial of service vulnerability via a crafted HTTP Accept header in ActionPack.
  • CVE-2021-22885 (actionpack) – Fixed an information disclosure/unintended method execution vulnerability in ActionPack.
  • CVE-2015-7576 (actionpack) – Fixed a remote bypass authentication vulnerability in ActionPack.
  • CVE-2023-22792 (actionpack) – Fixed a ReDoS-based DoS vulnerability in ActionDispatch.
  • CVE-2016-2097 (actionpack) – Fixed a path traversal vulnerability in ActionView.
  • CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in ActionDispatch.
  • CVE-2016-0752 (actionpack) – Fixed a directory traversal vulnerability in ActionView.
  • CVE-2022-32224 (activerecord) – Fixed an Active Record RCE bug with serialized columns.
  • CVE-2022-44566 (activerecord) – Fixed a denial of service vulnerability in ActiveRecord's PostgreSQL adapter.
  • CVE-2015-7577 (activerecord) – Fixed improper access control in ActiveRecord.
  • CVE-2020-8151 (activeresource) – Fixed an information disclosure issue in ActiveResource.
  • CVE-2023-22796 (activesupport) – Fixed a ReDoS-based DoS vulnerability in ActiveSupport's underscore.
  • CVE-2023-28120 (activesupport) – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
  • CVE-2020-5267 (actionview) – Fixed a cross-site scripting vulnerability in ActionView.
  • CVE-2020-15169 (actionview) – Fixed an XSS vulnerability in ActionView.
  • CVE-2022-27777 (actionview) – Fixed an XSS vulnerability in ActionView tag helpers.
  • CVE-2020-8163 (actionview) – Fixed remote code execution via user-provided local names in ActionView.
  • CVE-2016-6316 (actionview) – Fixed a cross-site scripting (XSS) vulnerability in ActionView.
  • CVE-2016-2097 (actionview) – Fixed a path traversal vulnerability in ActionView.
  • CVE-2019-16782 (rack) - Fixed a possible Information Leak / Session Hijack Vulnerability in Rack
  • CVE-2024-26146 (rack) - Fixed Rack Header Parsing leads to Possible Denial of Service Vulnerability
Rails 2.3.x
NES Release Notes
Previous Article
Rails 4.2.x
NES Release Notes
Next Article