CVE-2025-55193 — Active Record logging vulnerable to ANSI escape injection

Description

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

How to fix CVE-2025-55193

To remediate CVE-2025-55193, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2:6.0.3.7+dfsg-2+deb11u4 or later
—upgrade to 8.0.2.1 or later

Is CVE-2025-55193 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:6.0.3.7+dfsg-2+deb11u4
>= 8.0, < 8.0.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55193
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-55193
PATCHgithub.com/rails/rails
WEBgithub.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290