Rails Daily: Critical Security Patches

Rails received major security updates addressing eight CVEs across ActiveStorage, ActionView, and other components, plus a fix for composite foreign key handling. The security patches address path traversal, XSS vulnerabilities, and denial of service risks.

Duration: PT1M47S

Episode overview

This episode is a short developer briefing from Rails Daily.

It explains recent repository work in plain language.

  • Show: Rails Daily
  • Published: 2026-03-24T10:09:09Z
  • Audio duration: PT1M47S

Transcript excerpt

This excerpt keeps the crawler page concise. Listen to the episode or use the RSS feed for the full update.

Good morning, this is Rails Daily for Tuesday, March 24th, 2026.

Kirs merged a fix for FrozenError when deriving foreign keys from inverse associations with composite foreign keys. The patch replaces an in-place array mutation that was causing crashes when working with frozen arrays from memoized reflections.

The major story today is a comprehensive security release addressing eight CVEs. Mike Dalessio committed critical ActiveStorage fixes including path traversal prevention in DiskService and glob injection protection in delete operations. These patches add validation to ensure blob keys cannot escape storage…

Gannon McGibbon introduced configurable maximum streaming chunk sizes, defaulting to 100MB limits to prevent denial of service attacks through oversized byte range requests. Jean Boussier added multi-range request restrictions and filtered user-supplied metadata in DirectUploadController to prevent internal state…

Additional security fixes include John Hawthorn's XSS prevention in debug exception pages, where exception messages were being output unescaped in script tags. Jean Boussier also patched SafeBuffer formatting to preserve unsafe status and blocked scientific…

Mike…

Nearby episodes from Rails Daily

  1. PostgreSQL Connection Performance Boost
  2. Database Configuration Cleanup and Documentation Updates
  3. Testing Coverage and Unicode Fixes
  4. Performance Optimizations and MySQL Reliability
  5. Test Coverage Improvements
  6. Weekly Recap - Performance & Infrastructure Improvements
  7. Code Quality and Performance Fixes
  8. Database Performance and Code Cleanup