Ruby on Rails CVEs 2024 — All Security Releases
Rails had 8 CVEs across 5 security releases in 2024. The October batch (4 CVEs released simultaneously) and the December host authorization bypass are the most significant. Every supported Rails version received patches simultaneously.
All Rails 2024 CVEs
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2024-26143 | 2024 | HIGH | XSS via Action Text content | Fixed 7.1.3.1 |
| CVE-2024-26142 | 2024 | HIGH | ReDoS via header parsing | Fixed 7.1.3.1 |
| CVE-2024-28103 | 2024 | MEDIUM | Header injection in CORS headers | Fixed 7.1.3.4 |
| CVE-2024-41128 | 2024 | HIGH | ReDoS in query parameter parsing | Fixed 7.2.1.1 |
| CVE-2024-47887 | 2024 | HIGH | DoS via large multipart form | Fixed 7.2.1.1 |
| CVE-2024-47888 | 2024 | MEDIUM | DoS via crafted Accept header | Fixed 7.2.1.1 |
| CVE-2024-47889 | 2024 | MEDIUM | DoS via crafted Content-Type header | Fixed 7.2.1.1 |
| CVE-2024-54133 | 2024 | HIGH | Action Pack host authorization bypass | Fixed 7.2.2.1 |
Safe versions
# Rails 7.2 (latest) gem 'rails', '~> 7.2.2' # Rails 7.1 LTS gem 'rails', '~> 7.1.5' # Update bundle update rails # Verify bundle exec rails --version
CVE-2024-54133 — Host authorization bypass
Disclosed December 2024, this is the most serious of the 2024 batch for production applications. ActionDispatch::HostAuthorization middleware could be bypassed via a crafted Host header in certain configurations. Applications using host allowlisting for access control are affected. Fix: Rails 7.2.2.1 or 7.1.5.1.
The October 2024 batch
Rails released patches for four CVEs simultaneously on October 15, 2024. CVE-2024-41128 (ReDoS in query parsing) is the most severe of the four — a crafted query string can cause the Rails router to hang in a backtracking loop. CVE-2024-47887 and CVE-2024-47889 are DoS via crafted request headers.
Paste your manifest — get the exact safe version instantly.
Scan with PackageFix →Free · No signup · No CLI