CVE-2025-57821: Google Sign-In for Rails allowed redirects to malformed URLs

August 27, 2025

It is possible to craft a malformed URL that passes the “same origin” check, resulting in the user being redirected to another origin.

References

github.com/advisories/GHSA-7pwc-wh6m-44q3
github.com/basecamp/google_sign_in
github.com/basecamp/google_sign_in/commit/a0548a604fb17e4eb1a57029f0d87e34e8499623
github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3
nvd.nist.gov/vuln/detail/CVE-2025-57821

Code Behaviors & Features

Detect and mitigate CVE-2025-57821 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →