CVE-2025-57821: Google Sign-In for Rails allowed redirects to malformed URLs
(updated )
It is possible to craft a malformed URL that passes the “same origin” check, resulting in the user being redirected to another origin.
References
- github.com/advisories/GHSA-7pwc-wh6m-44q3
- github.com/basecamp/google_sign_in
- github.com/basecamp/google_sign_in/commit/85903651201257d4f14b97d4582e6d968ac32f15
- github.com/basecamp/google_sign_in/commit/a0548a604fb17e4eb1a57029f0d87e34e8499623
- github.com/basecamp/google_sign_in/pull/73
- github.com/basecamp/google_sign_in/releases/tag/v1.3.0
- github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3
- github.com/rubysec/ruby-advisory-db/blob/master/gems/google_sign_in/CVE-2025-57821.yml
- nvd.nist.gov/vuln/detail/CVE-2025-57821
Code Behaviors & Features
Detect and mitigate CVE-2025-57821 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →