Sign In

CVE-2026-40295

ADVISORY - github

Summary

Summary

When the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected.

Details

The vulnerable code is in lib/devise/failure_app.rb:

def redirect_url
  if warden_message == :timeout
    flash[:timedout] = true if is_flashing_format?

    path = if request.get?
      attempted_path          # safe: server-side value from warden options
    else
      request.referrer        # UNSAFE: HTTP Referer header, attacker-controlled
    end

    path || scope_url
  else
    scope_url
  end
end

This is passed directly to redirect_to:

def redirect
  store_location!
  # ...
  redirect_to redirect_url   # redirect_url may be an external attacker URL
end

The GET timeout path uses attempted_path, which is set server-side by Warden and cannot be influenced by the client. The store_location! method also only runs for GET requests, so no session-based protection is applied on POST timeouts.

By contrast, Devise's store_location_for method (used elsewhere) correctly sanitizes URLs via extract_path_from_location, which strips the scheme and host.

Impact

  • Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL.
  • The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings.
  • An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.

Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it.

Patches

This is patched in Devise v5.0.4. Users should upgrade as soon as possible.

Workaround

None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (Devise::FailureApp#redirect_url and Devise::Controllers::StoreLocation#extract_path_from_location). Remove the monkey-patch after upgrading.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-jp94-3292-c3xv
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-601

CVSS SCORE

6.1medium
PackageTypeOS NameOS VersionAffected RangesFix Versions
devisegem--<=5.0.35.0.4

CVSS:3 Severity and metrics

The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.

The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.

Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.

There is no impact to availability within the impacted component.