CVE-2025-58067: Google Sign-In for Rails allowed redirect to protocol-relative URI
(updated )
It is possible to redirect a user to another origin if the “proceed_to” value in the session store is set to a protocol-relative URL.
References
- github.com/advisories/GHSA-5jch-xhw4-r43v
- github.com/basecamp/google_sign_in
- github.com/basecamp/google_sign_in/commit/e97aef4626b1bcbd2c6f01f7dd25f12ac855d4cc
- github.com/basecamp/google_sign_in/pull/75
- github.com/basecamp/google_sign_in/releases/tag/v1.3.1
- github.com/basecamp/google_sign_in/security/advisories/GHSA-5jch-xhw4-r43v
- github.com/rubysec/ruby-advisory-db/blob/master/gems/google_sign_in/CVE-2025-58067.yml
- nvd.nist.gov/vuln/detail/CVE-2025-58067
Code Behaviors & Features
Detect and mitigate CVE-2025-58067 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →