CVE-2025-58067: Google Sign-In for Rails allowed redirect to protocol-relative URI

August 29, 2025

It is possible to redirect a user to another origin if the “proceed_to” value in the session store is set to a protocol-relative URL.

References

github.com/advisories/GHSA-5jch-xhw4-r43v
github.com/basecamp/google_sign_in
github.com/basecamp/google_sign_in/security/advisories/GHSA-5jch-xhw4-r43v
nvd.nist.gov/vuln/detail/CVE-2025-58067

Code Behaviors & Features

Detect and mitigate CVE-2025-58067 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →