Rails Versions You Shouldn’t Be Using Anymore (and Why)

Rails Versions You Shouldn’t Be Using Anymore (and Why)

Henrique Medeiros
Henrique Medeiros
on Rails

Ruby on Rails has always moved at a steady, thoughtful pace: each new version brings not only features and performance improvements but also important security hardening. But with every release cycle, older versions reach the end of their lifespan. When a version is officially End-of-Life (EOL), it no longer receives bug fixes or security patches — leaving applications increasingly vulnerable as new threats emerge.

In this post we will talk about why continuing to use EOL Rails versions can be dangerous, and how ignoring upgrade timelines can put your business at risk — not just technically, but legally and contractually.

Rails Maintenance Policy

The Rails core team has a clear maintenance policy opens a new window :

1 year of bug fixes after a release. 2 years of security fixes after a release.

After that two-year window, the version is considered EOL. That means no official patch will be released for unsupported versions.

Rails Versions EOL

As of today, October 1st, 2025, here’s the status of recent Rails versions:

  • Older Rails version are already EOL and unsupported, you can check the Ruby and Rails compatibility table in this article. opens a new window
  • Rails 6.1.x: Reached full EOL in October 2024.
  • Rails 7.0.x: Bug fix support has ended. Security support ended April 1st, 2025.
  • Rails 7.1.x: Security support has ended on October 1st, 2025.
  • Rails 7.2 and 8.0: These are the actively maintained, supported branches receiving ongoing improvements.

If your application is still on Rails 7.1 or earlier, you’re already operating with unsupported software. And if you’re on 7.2, you should be planning your upgrade now, before support fully expires. You can always check the maintenance policy page opens a new window for more information

Why Running EOL Rails is Risky

Sticking to unsupported versions might seem harmless if “everything works,” but the risks stack up quickly:

  • Security vulnerabilities: Known CVEs remain unpatched. For example, recent issues in Active Storage opens a new window and logging opens a new window could be exploited if your app hasn’t been upgraded.
  • Dependency lock-in: Popular gems often drop support for outdated Rails versions, leaving you unable to benefit from new fixes or features.
  • Community support: The Rails community’s energy always flows toward current versions. Tutorials, bug fixes, and upgrades will increasingly leave your version behind.

In short: the longer you wait, the harder it becomes to move forward and the more risks your application inherits.

Compliance Risks of Running Unsupported Rails

For many organizations, the biggest concern of running Rails EOL is compliance. Auditors and regulators can see it as a failure to follow industry security standards.

  • Regulatory frameworks demand patching: Standards like PCI DSS (for payment data), HIPAA (for healthcare), GDPR (for data protection in the EU), SOC2 (for SaaS companies), and ISO 27001 (for information security management) all require organizations to use supported, patched software.

  • Auditors typically check whether critical components in your stack are maintained. If your core framework is unsupported, that can lead to audit findings, fines, or even suspension of certifications. For example, in 2019, Capital One’s cloud misconfigurations opens a new window and unpatched systems contributed to a major data breach, leading to an $80 million regulatory fine opens a new window .

  • In the event of a security breach, evidence that your team was knowingly running unpatched software can shift legal liability. Courts and regulators may view it as negligence, increasing fines, damages, and reputational fallout. Another well-known example is the 2017 Equifax breach opens a new window , where attackers exploited an unpatched vulnerability in Apache Struts — an outdated web framework. The result: exposure of 147 million records which led to a potential $700 million settlement opens a new window .

  • Beyond the legal and financial consequences, clients and partners may lose trust if they discover your company is running critical applications on outdated frameworks. In industries like finance, healthcare, or government, that reputational damage can be even more costly than fines.

In other words, choosing not to upgrade Rails isn’t just a technical shortcut — it’s a business decision with compliance, legal, and financial implications. For companies that handle sensitive data or operate under strict regulations, staying on EOL Rails versions is simply not an option.

What You Can Do if You’re Still on EOL Rails

If your application is still on Rails 6.1 or older, don’t panic — but don’t wait either. Plan your upgrade path: Target Rails 7.2 or Rails 8.0, depending on your timeline, check our Rails Upgrade Automated Roadmap opens a new window to help map the path you need to get the upgrade done.

One of the most important assets for a safe upgrade is strong test coverage. If your test suite is thin, improving it should be step one, it will also help you catch failures during an upgrade project.

Conclusion

Upgrading may take planning and effort, but it pays dividends: better performance, access to modern features, easier developer onboarding, and most importantly, peace of mind. The Rails ecosystem moves forward quickly, and to stay secure and competitive, so should you. Contact us today opens a new window to discuss how we can help you plan and execute your Rails upgrade.

Henrique Medeiros's Picture

Henrique Medeiros

Software Engineer based in Brazil passionate about technology. He likes outdoor sports and traveling. If you enjoyed this article, follow me on Github!

Keep your app fast & secure, move to Ruby 3.4 and Rails 8.0!

Let's get you upgraded!
Get the book