CVE-2026-33658 - Fix possible DoS vulnerability in proxy mode via multi-range requests.
CVE-2026-33202 — Fix possible glob injection in DiskService.
CVE-2026-33195 — Fix possible path traversal in DiskService.
CVE-2026-33174 - Fix possible DoS vulnerability in proxy mode via Range requests.
CVE-2026-33173 — Fix insufficient filtering of metadata in direct uploads.

Active Support

CVE-2026-33176 — Fix possible DoS vulnerability in number helpers.
CVE-2026-33170 — Fix possible XSS vulnerability in SafeBuffer#%.
CVE-2026-33169 — Fix possible ReDoS vulnerability in number_to_delimited.

5.2.8.38

Released Mar 4, 2026

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.22.10.

October 2025

5.2.8.37

Released Oct 30, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.20.11.

5.2.8.36

Released Oct 13, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.20.10.

5.2.8.35

Released Oct 10, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.19.10.

5.2.8.34

Released Oct 2, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.18.10.

August 2025

5.2.8.33

Released Aug 20, 2025

CVE-2025-55193

CVE-2025-24293

Security Fixes

Active Record

CVE-2025-55193 - Call inspect on ids in RecordNotFound error.

Active Storage

CVE-2025-24293 - Remove dangerous transformations.

June 2025

5.2.8.32

Released Jun 17, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.17.10.

May 2025

5.2.8.31

Released May 15, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.14.10.

March 2025

5.2.8.30

Released Mar 17, 2025

Notes

Removed the railslts-version gem.

February 2025

5.2.8.26

Released Feb 10, 2025

8 More

Notes

This is the initial release of Never-Ending Support (NES) for Rails v5.2.x.

Security Fixes

Action Mailer

CVE-2024-47889 – Avoid regex backtracking in block_format helper.

Action Pack

CVE-2024-54133 – Fixed a possible Content Security Policy bypass in Action Dispatch.
CVE-2024-47887 – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
CVE-2024-41128 – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
CVE-2023-28362 – Raise an exception if illegal characters are provide to redirect_to.
CVE-2023-22795 – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
CVE-2023-22792 – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.

Action View

CVE-2023-23913 – Fixed a DOM-based cross-site scripting (XSS) vulnerability in rails-ujs affecting contenteditable HTML elements.

Active Record

CVE-2022-44566 – Fixed a denial-of-service (DoS) vulnerability in ActiveRecord's PostgreSQL adapter.
CVE-2022-32224 – Fixed an Active Record RCE bug with serialized columns.

Active Support

CVE-2023-38037 – Fixed a potential information disclosure vulnerability in Active Support where locally encrypted files could be exposed.
CVE-2023-28120 – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
CVE-2023-22796 – Fixed a ReDoS-based DoS vulnerability in Active Support's underscore.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team