Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Critical Ruby on Rails security vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Ruby on Rails security vulnerability
A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.

The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: "This is a MANDATORY upgrade for anyone not running on a very recent edge".

Unfortunately, they didn't specify what this "very recent edge" exactly is, so you can't say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.

The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at

The new version can be downloaded from

Thanks to Christian for sending us a note about this.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin


402 Posts
ISC Handler
Aug 10th 2006

Sign Up for Free or Log In to start participating in the conversation!