Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. spree_auth_devise
  4. ›
  5. CVE-2021-41275

CVE-2021-41275: Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness

November 18, 2021 (updated July 1, 2025)

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

  • Executed whether as:
  • A before_action callback (the default)
  • A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails –new generated skeleton use :exception).

That means that applications that haven’t been configured differently from what it’s generated with Rails aren’t affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

References

  • github.com/advisories/GHSA-26xx-m4q2-xhq8
  • github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml
  • github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
  • github.com/spree/spree_auth_devise
  • github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63
  • github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8
  • github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr
  • github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652
  • github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954
  • nvd.nist.gov/vuln/detail/CVE-2021-41275

Code Behaviors & Features

Detect and mitigate CVE-2021-41275 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 4.0.1, all versions starting from 4.1.0 before 4.1.1, all versions starting from 4.2.0 before 4.2.1, all versions starting from 4.3.0 before 4.4.1

Fixed versions

  • 4.4.1
  • 4.2.1
  • 4.1.1
  • 4.0.1

Solution

Upgrade to versions 4.0.1, 4.1.1, 4.2.1, 4.4.1 or above.

Impact 8.8 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-352: Cross-Site Request Forgery (CSRF)

Source file

gem/spree_auth_devise/CVE-2021-41275.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 27 Aug 2025 12:18:47 +0000.