View all Blog Posts
Products
Mar 30, 2026

Ruby on Rails End-of-Life Versions: The Dual Ruby + Rails EOL Problem Enterprises Face in 2026

Why Running EOL Ruby and Rails Together Creates Compounding Security Risk—and What to Do About It

Give me the TL;DR
Ruby on Rails End-of-Life Versions: The Dual Ruby + Rails EOL Problem Enterprises Face in 2026
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

The convergence is unprecedented. Ruby 3.2 reaches end-of-life on March 31, 2026, while Rails 7.0 reached EOL in April 2025 and Rails 7.1 ended support in October 2025. For enterprises still running older versions, this creates a compounding risk that goes beyond typical EOL challenges: you're not just managing one expired framework, but potentially two expired technologies in your stack simultaneously.

This dual Ruby on Rails EOL problem affects more organizations than you might expect. Ruby 3.1 already reached end-of-life on March 31, 2025, and many applications still run Rails 7.0 or 7.1 on these EOL Ruby versions. When both your runtime and framework are unsupported, security vulnerabilities remain unpatched at multiple layers of your stack.

The Ruby end of life timeline creating the problem

Ruby follows a predictable 3 years, 3 months support cycle, with new major versions released every December 25th. Here's where enterprises stand in 2026:

Ruby versions currently at risk:

  • Ruby 3.1: EOL March 31, 2025 (already expired)
  • Ruby 3.2: EOL March 31, 2026 (weeks away)
  • Ruby 3.0: EOL March 31, 2024 (long expired)

Ruby versions with remaining support:

  • Ruby 3.3: Supported until March 31, 2027
  • Ruby 3.4: Supported until March 31, 2028

The timing creates a perfect storm. As Ruby 3.2 exits support, many applications won't have completed their Rails upgrades either, leaving them vulnerable on both fronts.

Rails 7.0 end of life and the maintenance policy change

Rails 7.0 reached end-of-life on April 1, 2025, and Rails 7.1 completed its security support period in October 2025. This represents a significant shift in the Rails ecosystem's support landscape.

Current Rails EOL status:

  • Rails 7.0: EOL (no patches since April 2025)
  • Rails 7.1: EOL (no patches since October 2025)
  • Rails 7.2: Security support until August 2026
  • Rails 8.0: Full support until November 2026

Starting with Rails 7.2, each minor release receives bug fixes for 1 year and security fixes for 2 years. This new maintenance policy provides predictability but also creates sharper EOL cliffs. (For comprehensive Rails EOL dates across all versions, see Ruby on Rails End-of-Life Dates: What You Need to Know to Secure Your Applications.)

Why the dual EOL problem is particularly dangerous

Running EOL software is always risky, but the combination of an EOL Ruby version with an EOL Rails version creates exponential exposure:

Double vulnerability surface: Any security issues in Ruby itself go unaddressed while Rails vulnerabilities also remain unpatched. Recent Ruby CVEs demonstrate this risk: CVE-2025-27221 affects URI handling with userinfo leakage, while CVE-2025-27219 and CVE-2025-27220 create DoS vulnerabilities in the CGI gem.

Ecosystem abandonment: Gem authors drop support for EOL Ruby/Rails combinations, creating upgrade walls. You'll start hitting upgrade walls when bundling or deploying as the broader ecosystem moves forward.

Compliance violations: Regulatory frameworks like PCI DSS, HIPAA, GDPR, SOC2, and ISO 27001 all require organizations to use supported, patched software. Auditors can flag dual EOL configurations as critical findings.

The most dangerous Rails end of life combinations enterprises are running

Our analysis of common Ruby and Rails pairings reveals several high-risk configurations that enterprises need to address immediately. For organizations not ready for immediate migration, commercial support options like HeroDevs NES can provide security coverage during transition planning.

Critical risk (double EOL):

  • Ruby 3.0 + Rails 6.1 or earlier
  • Ruby 3.1 + Rails 7.0
  • Ruby 2.7 + any Rails version

High risk (partial EOL with closing window):

  • Ruby 3.2 + Rails 7.1 (Ruby support ends March 31, 2026)
  • Ruby 3.1 + Rails 7.2 (Ruby already EOL, Rails supported until August 2026)

Moderate risk (single EOL):

  • Ruby 3.3+ + Rails 7.0/7.1 (Ruby supported, Rails EOL)
  • Ruby 3.2 + Rails 7.2/8.0 (closing window on Ruby, Rails supported)

When paired with older Ruby versions, you're running a framework with zero support on a runtime with diminishing support. This creates a ticking time bomb for security and compliance.

Recent security fixes demonstrate the dual exposure risk

The March 2026 Rails security releases provide a concrete example of why the dual EOL problem is dangerous. Rails versions 7.2.3.1, 8.0.4.1, and 8.1.2.1 were released to address 10 critical vulnerabilities, including:

Active Storage vulnerabilities:

  • CVE-2026-33195: Path traversal in DiskService allowing unauthorized file access
  • CVE-2026-33202: Glob injection enabling directory traversal through file deletion
  • CVE-2026-33173: Insufficient metadata filtering in direct uploads
  • CVE-2026-33174: DoS vulnerability in proxy mode via Range requests

Action Pack and Action View exploits:

  • CVE-2026-33167: XSS vulnerability in debug exceptions that could leak sensitive data
  • CVE-2026-33168: XSS vulnerability in tag helpers affecting form rendering

Active Support DoS attacks:

  • CVE-2026-33169: ReDoS vulnerability in number_to_delimited helper
  • CVE-2026-33176: DoS vulnerability in number helpers via scientific notation expansion
  • CVE-2026-33170: XSS vulnerability in SafeBuffer#% affecting string interpolation

What this means for EOL versions:

Organizations running Rails 7.0 or 7.1 received zero patches for these vulnerabilities. Their applications remain permanently exposed to path traversal attacks, XSS exploits, and DoS vectors. Meanwhile, applications on supported Rails versions (7.2, 8.0, 8.1) received immediate security fixes.

This represents exactly the dual EOL risk: if you're running Rails 7.0 on Ruby 3.1, you have unpatched vulnerabilities in both your framework and runtime, with no official path to security updates.

Ruby runtime vulnerabilities compound the risk: Recent Ruby CVEs like CVE-2026-27820 (buffer overflow in Zlib::GzipReader), CVE-2025-61594 (URI credential leakage), and CVE-2025-58767 (DoS in REXML) affect the Ruby runtime itself. EOL Ruby versions like 3.1 and 3.0 never receive these patches, creating runtime-level exposure alongside the Rails framework vulnerabilities.

Why enterprises need broader ecosystem coverage

The dual Ruby + Rails EOL problem highlights a critical limitation of single-framework solutions. Enterprises rarely run just Rails in isolation. Your typical production stack includes:

  • Frontend frameworks: Angular, React, or Vue (often EOL versions)
  • Backend services: Node.js APIs, Java microservices
  • Databases: PostgreSQL, MySQL with specific version requirements
  • Infrastructure: Apache, NGINX, specific Linux distributions

A Rails-only approach leaves gaps across your broader technology stack. When your Rails app connects to a Node.js service running EOL versions, or serves assets through EOL Apache, you haven't actually solved your enterprise security posture.

HeroDevs NES: comprehensive coverage with current security patches

HeroDevs Never-Ending Support (NES) addresses the complete dual EOL challenge. Our Rails NES covers versions 2.3 through 6.1, providing security patching that extends beyond EOL dates. Critically, HeroDevs NES versions would receive patches for vulnerabilities like the March 2026 Rails security fixes, while EOL versions remain permanently vulnerable.

What sets HeroDevs apart:

  • Current vulnerability coverage: The March 2026 Rails CVEs (path traversal, XSS, DoS) demonstrate exactly what HeroDevs NES provides that EOL versions cannot get
  • Multi-ecosystem expertise: The same team securing your Rails apps also maintains AngularJS, Node.js, Spring, and other EOL frameworks in your stack
  • Compliance-ready documentation: SBOMs, VEX files, and audit evidence required for SOC 2, PCI DSS, and FedRAMP compliance
  • CVE-to-patch pipeline: Automated vulnerability scanning across all supported ecosystems, not just Rails
  • Drop-in compatibility: No code changes required for Rails 2.3-6.1 coverage

For enterprises running complex stacks, this unified approach means one vendor relationship covering your entire EOL portfolio, not separate agreements for Rails, Node.js, Angular, and Java components.

Taking action on your dual EOL risk

If you're running Rails 7.0 or 7.1: These versions are already EOL. Plan immediate upgrades to Rails 7.2 or 8.0, targeting completion before summer 2026.

If you're on Ruby 3.2: You have weeks, not months. Ruby 3.2 reaches EOL March 31, 2026. Upgrade to Ruby 3.3 or 3.4 immediately.

If you're in a double EOL configuration: Ruby 3.1/3.0 + Rails 7.0/7.1 represents critical risk. You're missing patches for vulnerabilities like the March 2026 Rails security fixes and have no official path to remediation. This requires either emergency patching through commercial support or accelerated migration planning.

For complex enterprise stacks: Consider whether your current approach addresses the complete dual EOL risk profile across your entire technology portfolio. The March 2026 Rails CVEs demonstrate how quickly new vulnerabilities emerge that affect only supported versions.

The dual EOL problem isn't just about Rails. It's about managing enterprise security across your complete technology stack. Recent security fixes like the March 2026 Rails CVEs demonstrate the ongoing risk: EOL versions remain permanently vulnerable while supported versions get immediate patches.

HeroDevs NES provides comprehensive coverage across your dual EOL risks, ensuring your Rails applications receive critical security patches like CVE-2026-33195 (path traversal) and CVE-2026-33167 (XSS in debug exceptions) while also addressing Node.js services, Angular frontends, and other EOL components in your environment. Contact our team to discuss how NES can address your dual EOL risks across your entire technology stack.

Share via:
facebook
LinkedIn
X (twitter)
Table of Contents
Read full article
Author
Greg Allen
Chief Technology Officer
Open Source Insights Delivered Monthly

Related Blog Posts

The LiteLLM Supply Chain Attack: What Happened, Why It Matters, and What to Do Next
Security
Mar 26, 2026
The LiteLLM Supply Chain Attack: What Happened, Why It Matters, and What to Do Next
How a compromised AI dependency turned into a widespread credential-stealing attack—and what developers and organizations must do now.
March 2026 Spring CVE Roundup: Six New Vulnerabilities Patched Across the Spring Ecosystem
Security
Mar 26, 2026
March 2026 Spring CVE Roundup: Six New Vulnerabilities Patched Across the Spring Ecosystem
Spring Security Alert: 6 Critical CVEs Impact Boot, Framework, and Legacy EOL Systems
Node.js 20 Goes EOL: How to Stay Secure Without a Full Migration
Products
Mar 25, 2026
Node.js 20 Goes EOL: How to Stay Secure Without a Full Migration
What Node.js 20 end-of-life means for security, compliance, and how to stay protected without rushing a migration