CVE-2025-55193
Publication date 15 August 2025
Last updated 15 August 2025
Ubuntu priority
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rails | 25.04 plucky |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
seth-arnold
In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-55193
- https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
- https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290 (v7.1.5.2)
- https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202 (v7.2.2.2)
- https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b (v8.0.2.1)
- https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
- https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
- https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202