Rails 5.2.x

5.2.8.37

Notes

• No changes in Rails
• Bumped Rack version requirement to version 2.2.20.11
• Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). This change has no security implications.

5.2.8.36

Bug Fixes

• CVE-2025-61919: Rack::Request#POST reads the entire request body into memory for Content-Type:application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
• CVE-2025-61780: A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Notes

• No changes in Rails
• Bumped Rack version requirement to version 2.2.20.10

5.2.8.35

Bug Fixes

• CVE-2025-61770: Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
• CVE-2025-61771: Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
• CVE-2025-61772: Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

Notes

• No changes in Rails
• Bumped Rack version requirement to version 2.2.19.10

5.2.8.34

Bug Fixes

• CVE-2025-59830 (rack) Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Notes

• No changes in Rails
• Bumped Rack version requirement to version 2.2.18.10

5.2.8.33

Bug Fixes

• CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
• CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection

5.2.8.32

Notes

• No changes in Rails
• Bumped Rack version requirement to version 2.2.17.10

Bug Fixes

• Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement.

5.2.8.31

Notes

• No changes in Rails
• Bumped Rack version requirement to version 2.2.14.10

Bug Fixes

• CVE-2025-46727 (rack) - Unbounded-Parameter DoS in Rack::QueryParser
• CVE-2025-32441 (rack) - Session Reuse in Rack::Session::Pool

5.2.8.30

Notes

• This is the initial release of the NES Rails 5.2.x series. It also includes the release of NES for Rack v2.2.13.10.

Bug Fixes

• CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
• CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
• CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
• CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
• CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting (XSS) vulnerability via user-supplied values in redirect_to.
• CVE-2023-22795 (actionpack) – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
• CVE-2023-22792 (actionpack) – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
• CVE-2024-47887 (actionpack) – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
• CVE-2024-54133 (actionpack) – Fixed a possible Content Security Policy bypass in Action Dispatch.
• CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
• CVE-2022-32224 (activerecord) – Fixed an Active Record RCE bug with serialized columns.
• CVE-2022-44566 (activerecord) – Fixed a denial-of-service (DoS) vulnerability in ActiveRecord's PostgreSQL adapter.
• CVE-2023-38037 (activesupport) – Fixed a potential information disclosure vulnerability in Active Support where locally encrypted files could be exposed.
• CVE-2023-22796 (activesupport) – Fixed a ReDoS-based DoS vulnerability in Active Support's underscore.
• CVE-2023-28120 (activesupport) – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
• CVE-2023-23913 (actionview) – Fixed a DOM-based cross-site scripting (XSS) vulnerability in rails-ujs affecting contenteditable HTML elements.
• CVE-2024-26144 (activestorage) – Possible sensitive session information leak in Active Storage (Not fixed).