CVE-2025-55193
Publication date 13 August 2025
Last updated 10 July 2026
Ubuntu priority
Description
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rails | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage |
Notes
seth-arnold
In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward
Severity score breakdown
CVSS version: CVSS v4.0
Base score
2.7 · Low
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-55193
- https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
- https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290 (v7.1.5.2)
- https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202 (v7.2.2.2)
- https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b (v8.0.2.1)
- https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
- https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
- https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202