Vulnerable Library - devise-5.0.3.gem
Flexible authentication solution for Rails with Warden
Library home page: https://rubygems.org/gems/devise-5.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/devise-5.0.3.gem
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (devise version) |
Remediation Possible** |
| CVE-2026-40295 |
 Medium |
6.1 |
devise-5.0.3.gem |
Direct |
devise - 5.0.4 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40295
Vulnerable Library - devise-5.0.3.gem
Flexible authentication solution for Rails with Warden
Library home page: https://rubygems.org/gems/devise-5.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/devise-5.0.3.gem
Dependency Hierarchy:
- ❌ devise-5.0.3.gem (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
Summary When the "Timeoutable" module is enabled in Devise, the "FailureApp#redirect_url" method returns "request.referrer" — the HTTP "Referer" header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side "attempted_path") and Devise's own "store_location_for" mechanism (which strips external hosts via "extract_path_from_location"), both of which are protected; only the non-GET timeout redirect path is unprotected. Details The vulnerable code is in "lib/devise/failure_app.rb": def redirect_url if warden_message == :timeout flash[:timedout] = true if is_flashing_format? path = if request.get? attempted_path # safe: server-side value from warden options else request.referrer # UNSAFE: HTTP Referer header, attacker-controlled end path || scope_url else scope_url end end This is passed directly to "redirect_to": def redirect store_location! ... redirect_to redirect_url # redirect_url may be an external attacker URL end The GET timeout path uses "attempted_path", which is set server-side by Warden and cannot be influenced by the client. The "store_location!" method also only runs for GET requests, so no session-based protection is applied on POST timeouts. By contrast, Devise's "store_location_for" method (used elsewhere) correctly sanitizes URLs via "extract_path_from_location", which strips the scheme and host. Impact - Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL. - The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings. - An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites. Note: Rails' built-in open-redirect protection does not mitigate this issue. "Devise::FailureApp" is an "ActionController::Metal" app with its own isolated copy of the relevant redirect configuration, so "config.action_controller.action_on_open_redirect = :raise" (and the older "raise_on_open_redirects" setting) do not reach it. Patches This is patched in Devise v5.0.4. Users should upgrade as soon as possible. Workaround None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer ("Devise::FailureApp#redirect_url" and "Devise::Controllers::StoreLocation#extract_path_from_location"). Remove the monkey-patch after upgrading.
Publish Date: 2026-05-16
URL: CVE-2026-40295
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jp94-3292-c3xv
Release Date: 2026-05-09
Fix Resolution: devise - 5.0.4
Step up your Open Source Security Game with Mend here
Flexible authentication solution for Rails with Warden
Library home page: https://rubygems.org/gems/devise-5.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/devise-5.0.3.gem
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - devise-5.0.3.gem
Flexible authentication solution for Rails with Warden
Library home page: https://rubygems.org/gems/devise-5.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/devise-5.0.3.gem
Dependency Hierarchy:
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
Summary When the "Timeoutable" module is enabled in Devise, the "FailureApp#redirect_url" method returns "request.referrer" — the HTTP "Referer" header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side "attempted_path") and Devise's own "store_location_for" mechanism (which strips external hosts via "extract_path_from_location"), both of which are protected; only the non-GET timeout redirect path is unprotected. Details The vulnerable code is in "lib/devise/failure_app.rb": def redirect_url if warden_message == :timeout flash[:timedout] = true if is_flashing_format? path = if request.get? attempted_path # safe: server-side value from warden options else request.referrer # UNSAFE: HTTP Referer header, attacker-controlled end path || scope_url else scope_url end end This is passed directly to "redirect_to": def redirect store_location! ... redirect_to redirect_url # redirect_url may be an external attacker URL end The GET timeout path uses "attempted_path", which is set server-side by Warden and cannot be influenced by the client. The "store_location!" method also only runs for GET requests, so no session-based protection is applied on POST timeouts. By contrast, Devise's "store_location_for" method (used elsewhere) correctly sanitizes URLs via "extract_path_from_location", which strips the scheme and host. Impact - Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL. - The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings. - An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites. Note: Rails' built-in open-redirect protection does not mitigate this issue. "Devise::FailureApp" is an "ActionController::Metal" app with its own isolated copy of the relevant redirect configuration, so "config.action_controller.action_on_open_redirect = :raise" (and the older "raise_on_open_redirects" setting) do not reach it. Patches This is patched in Devise v5.0.4. Users should upgrade as soon as possible. Workaround None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer ("Devise::FailureApp#redirect_url" and "Devise::Controllers::StoreLocation#extract_path_from_location"). Remove the monkey-patch after upgrading.
Publish Date: 2026-05-16
URL: CVE-2026-40295
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jp94-3292-c3xv
Release Date: 2026-05-09
Fix Resolution: devise - 5.0.4
Step up your Open Source Security Game with Mend here