All Rails CVEs — Complete Vulnerability History
Rails has a mature, well-run security process. CVEs are disclosed on the Rails blog and through rubyonrails-security mailing list. Most CVEs are XSS, CSRF, or open redirect issues — serious but manageable with prompt updates.
Ruby
3M+ weekly downloads
5 CVEs total
2 CRITICAL
CVE history — all 5 known vulnerabilities
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-21831 | 2022 | CRITICAL | Code injection via YAML serialisation in Action Text | Fixed in 6.1.4.7 |
| CVE-2022-32224 | 2022 | CRITICAL | RCE via YAML deserialization in PostgreSQL adapter | Fixed in 7.0.3.1 |
| CVE-2022-44566 | 2022 | HIGH | DoS via excessive string allocation in Rack body parsing | Fixed in 7.0.4 |
| CVE-2023-28362 | 2023 | HIGH | XSS via redirect URLs with crafted query params | Fixed in 7.0.5 |
| CVE-2024-26144 | 2024 | HIGH | CSRF token leak in session response headers | Fixed in 7.1.3 |
Current safe version
✓ Update to 7.1.3
The latest safe version addresses all 5 known CVEs listed above.
Before and after
Vulnerable:
gem 'rails', '6.0.0'
Fixed:
gem 'rails', '7.1.3'
Then run: bundle install
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What are the most serious Rails CVEs?
The YAML deserialization CVEs (CVE-2022-21831 and CVE-2022-32224) are the most severe — both CRITICAL and allowing remote code execution. These affect specific configurations (YAML serialization enabled, PostgreSQL adapter with certain options) but should be treated as urgent if your configuration matches.
How do I stay informed about Rails security releases?
Subscribe to rubyonrails-security@googlegroups.com and follow the Rails blog at rubyonrails.org/blog. New security releases are also announced on Rails' GitHub releases page.
Is Rails 6.x still receiving security patches?
Rails 6.1 reached end of life in June 2024. Rails 7.0 is maintained through September 2025. Rails 7.1 is the current stable release with the longest support window. If you're on Rails 6.x, plan your upgrade now.
How long does a Rails upgrade typically take?
Rails has good upgrade guides and tries to deprecate features before removing them. A 6.1 to 7.1 upgrade typically takes 1-5 days for a medium-sized app, mostly updating deprecated API calls. The security benefits make it worthwhile.