GHSA-JP94-3292-C3XV
Vulnerability from github – Published: 2026-05-08 15:41 – Updated: 2026-05-08 15:41Summary
When the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected.
Details
The vulnerable code is in lib/devise/failure_app.rb:
def redirect_url
if warden_message == :timeout
flash[:timedout] = true if is_flashing_format?
path = if request.get?
attempted_path # safe: server-side value from warden options
else
request.referrer # UNSAFE: HTTP Referer header, attacker-controlled
end
path || scope_url
else
scope_url
end
end
This is passed directly to redirect_to:
def redirect
store_location!
# ...
redirect_to redirect_url # redirect_url may be an external attacker URL
end
The GET timeout path uses attempted_path, which is set server-side by Warden and cannot be influenced by the client. The store_location! method also only runs for GET requests, so no session-based protection is applied on POST timeouts.
By contrast, Devise's store_location_for method (used elsewhere) correctly sanitizes URLs via extract_path_from_location, which strips the scheme and host.
Impact
- Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL.
- The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings.
- An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.
Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it.
Patches
This is patched in Devise v5.0.4. Users should upgrade as soon as possible.
Workaround
None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (Devise::FailureApp#redirect_url and Devise::Controllers::StoreLocation#extract_path_from_location). Remove the monkey-patch after upgrading.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.3"
},
"package": {
"ecosystem": "RubyGems",
"name": "devise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40295"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T15:41:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nWhen the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` \u2014 the HTTP `Referer` header, which is attacker-controllable \u2014 without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side `attempted_path`) and Devise\u0027s own `store_location_for` mechanism (which strips external hosts via `extract_path_from_location`), both of which are protected; only the non-GET timeout redirect path is unprotected.\n\n## Details\n\nThe vulnerable code is in `lib/devise/failure_app.rb`:\n\n```ruby\ndef redirect_url\n if warden_message == :timeout\n flash[:timedout] = true if is_flashing_format?\n\n path = if request.get?\n attempted_path # safe: server-side value from warden options\n else\n request.referrer # UNSAFE: HTTP Referer header, attacker-controlled\n end\n\n path || scope_url\n else\n scope_url\n end\nend\n```\n\nThis is passed directly to `redirect_to`:\n\n```ruby\ndef redirect\n store_location!\n # ...\n redirect_to redirect_url # redirect_url may be an external attacker URL\nend\n```\n\nThe GET timeout path uses `attempted_path`, which is set server-side by Warden and cannot be influenced by the client. The `store_location!` method also only runs for GET requests, so no session-based protection is applied on POST timeouts.\n\nBy contrast, Devise\u0027s `store_location_for` method (used elsewhere) correctly sanitizes URLs via `extract_path_from_location`, which strips the scheme and host.\n\n## Impact\n\n- Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL.\n- The redirect happens transparently via a trusted domain (the target app\u0027s domain), bypassing browser phishing warnings.\n- An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.\n\n_Note_: Rails\u0027 built-in open-redirect protection does not mitigate this issue. `Devise::FailureApp` is an `ActionController::Metal` app with its own isolated copy of the relevant redirect configuration, so `config.action_controller.action_on_open_redirect = :raise` (and the older `raise_on_open_redirects` setting) do not reach it.\n\n## Patches\n\nThis is patched in Devise v5.0.4. Users should upgrade as soon as possible.\n\n## Workaround\n\nNone beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (`Devise::FailureApp#redirect_url` and `Devise::Controllers::StoreLocation#extract_path_from_location`). Remove the monkey-patch after upgrading.",
"id": "GHSA-jp94-3292-c3xv",
"modified": "2026-05-08T15:41:47Z",
"published": "2026-05-08T15:41:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv"
},
{
"type": "PACKAGE",
"url": "https://github.com/heartcombo/devise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.