Ruby on Rails Security Releases 2024 — Complete CVE List

April 1, 2026 · PackageFix · 6 min read

Rails had 8 security releases in 2024 spanning CVEs in Action Pack, Action Text, and the query parser. Four of them were released together in October 2024 — the largest single security release batch in recent Rails history. Here is every CVE, the affected versions, and the exact patch version to update to.

All Rails CVEs in 2024

CVE	Date	Severity	Description	Fix version
CVE-2024-26143	Feb 2024	HIGH	XSS via Action Text content	7.1.3.1 / 7.0.8.1 / 6.1.7.7
CVE-2024-26142	Feb 2024	HIGH	ReDoS via header parsing	7.1.3.1 / 7.0.8.1 / 6.1.7.7
CVE-2024-28103	Jun 2024	MEDIUM	Possible header injection in CORS headers	7.1.3.4 / 7.0.8.4 / 6.1.7.8
CVE-2024-41128	Oct 2024	HIGH	ReDoS in query parameter parsing	7.2.1.1 / 7.1.4.1 / 7.0.8.5
CVE-2024-47887	Oct 2024	HIGH	DoS via large multipart form	7.2.1.1 / 7.1.4.1 / 7.0.8.5
CVE-2024-47888	Oct 2024	MEDIUM	DoS via crafted Accept header	7.2.1.1 / 7.1.4.1 / 7.0.8.5
CVE-2024-47889	Oct 2024	MEDIUM	DoS via crafted Content-Type header	7.2.1.1 / 7.1.4.1 / 7.0.8.5
CVE-2024-54133	Dec 2024	HIGH	Action Pack host authorization bypass	7.2.2.1 / 7.1.5.1

The October 2024 batch

On October 15, 2024, the Rails team released patches for four CVEs simultaneously across Rails 7.2, 7.1, and 7.0. This is the standard Rails security release process — vulnerabilities are held until all supported versions are patched, then released together.

CVE-2024-41128 (ReDoS in query parsing) is the most serious of the four. An attacker sending a crafted query string can cause the Rails router to hang, blocking the request thread. In multi-threaded Puma deployments, enough of these requests can exhaust the thread pool.

CVE-2024-54133 - December host authorization bypass

The final 2024 Rails CVE was CVE-2024-54133 in December — a host authorization bypass in Action Pack. Applications using ActionDispatch::HostAuthorization middleware with certain configurations could be bypassed by a crafted Host header. This affects applications restricting access by hostname. Fix version: 7.2.2.1 or 7.1.5.1.

How to stay current with Rails security releases

The Rails security mailing list publishes all CVEs as they are released. Subscribe at groups.google.com/g/rubyonrails-security. The rubyonrails.org/blog also publishes all security releases. Use PackageFix to check your current Gemfile against all known CVEs instantly.

Update Rails

# Update to latest security release
bundle update rails

# Or pin to specific version in Gemfile
gem 'rails', '~> 7.1.5'

# Verify
bundle exec rails --version

Paste your manifest — PackageFix scans every dependency against OSV and CISA KEV instantly.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How do I update Rails to the latest security release?

Update your Gemfile: gem 'rails', '~> 7.1.0'. Then run bundle update rails. Always run your full test suite after updating Rails. Check the Rails security mailing list at groups.google.com/g/rubyonrails-security for announcements.

Does Rails backport security fixes to older versions?

Yes - Rails backports security fixes to all currently supported branches. When a CVE is released, patches are available for the two most recent major versions simultaneously. Rails 6.1 reached end of life in June 2024 - upgrade to 7.0 or 7.1 to continue receiving security patches.

How do I know which Rails security releases affect my version?

Each CVE announcement lists the affected version ranges and patched versions. The Rails blog at rubyonrails.org/blog and the rubyonrails-security Google Group publish all security releases. PackageFix checks your Gemfile against the OSV database which includes all Rails CVEs.

What is the current supported Rails version in 2026?

As of early 2026, Rails 7.1 and 7.2 are the actively maintained branches. Rails 7.0 is in security-only maintenance. Rails 6.1 and below are end of life. For new projects, use Rails 7.2.