Emergency patches have been released for Ruby on Rails versions 7.2, 8.0, and 8.1 to address critical vulnerabilities that could allow attackers to steal data or crash servers. The updates fix issues in Active Storage and the DebugExceptions middleware, blocking path traversal attempts and preventing cross-site scripting leaks. Developers are urged to apply these updates immediately to avoid potential data breaches and denial of service attacks. Key improvements include rejecting certain filename patterns in Active Storage and ensuring error screens do not leak sensitive information in production environments

Ruby on Rails 8.1.2.1, 8.0.4.1, and 7.2.3.1 released

Rails versions 7.2, 8.0, and 8.1 just received emergency patches for critical vulnerabilities that could let attackers steal data or crash your servers entirely. The update blocks path traversal attempts in Active Storage while the DebugExceptions middleware gets protection against accidental cross-site scripting leaks. Ignoring this leaves the door wide open for denial of service attacks through oversized file streams or malicious glob injection during deletions. Running bundle update now is better than waiting until a breach forces everyone's hand later.

Ruby on Rails 8.1.2.1, 8.0.4.1, and 7.2.3.1 released @ Linux Compatible