Is Ruby 2.5.9 patched?
Current stable (4.0.5): 100/100
2.5.9 has 4 open critical-or-high vulnerabilities. Run 2.7.7 or later to clear them. See what 2.7.7 fixes →
Summary iPlain-English security status for Ruby 2.5.9, built from its CVEs, active-exploitation data, end-of-life date and latest release.
Ruby 2.5.9 is part of the 2.5 release line. 6 known vulnerabilities affect it. The minimum safe version is 2.7.7 — upgrade to it or later to clear the open critical/high issues. The 2.5 line reached end-of-life on 2021-03-31, so it no longer receives security patches. The latest supported Ruby release is 4.0.5.
Known issues affecting 2.5.9
Exploited first, then by exploitation probability.
CVE-2021-28966 HIGH EPSS 58% → fixed in 3.0.1 CVE-2021-28965 HIGH EPSS 5% → fixed in 3.0.1 CVE-2022-28739 HIGH EPSS 4% → fixed in 3.1.2 CVE-2021-31810 MEDIUM EPSS 3% → see advisory CVE-2021-41819 HIGH EPSS 3% → fixed in 3.0.3 CVE-2023-28756 MEDIUM EPSS 2% → see advisoryOther Ruby versions
Check another release line of Ruby.
Frequently asked
Is Ruby 2.5.9 patched?
Ruby 2.5.9 is end-of-life and no longer receives security patches. Move to 4.0.5.
What version should I upgrade Ruby 2.5.9 to?
Upgrade Ruby 2.5.9 to at least 2.7.7 to clear its 4 open critical-or-high vulnerabilities.
When does Ruby 2.5 reach end-of-life?
Ruby 2.5 reached end-of-life on 2021-03-31 and no longer receives security patches.
What is the latest version of Ruby?
The latest supported Ruby release is 4.0.5.
Is Ruby 2.5.9 still receiving security updates?
No — Ruby 2.5.9 is on the 2.5 line, which reached end-of-life on 2021-03-31 and no longer receives security updates. Upgrade to 4.0.5 or later to stay supported.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Ruby's official advisory before you patch or upgrade — Ruby official site ↗