GHSA/SYNC: 1 new devise advisory

gems/devise/CVE-2026-40295.yml

@@ -0,0 +1,103 @@
+---
+gem: devise
+cve: 2026-40295
+ghsa: jp94-3292-c3xv
+url: https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv
+title: Devise has an Open Redirect via Unvalidated `request.referrer`
+  in Timeoutable Session Timeout Handler
+date: 2026-05-08
+description: |
+  ## Summary
+
+  When the `Timeoutable` module is enabled in Devise, the
+  `FailureApp#redirect_url` method returns `request.referrer` — the
+  HTTP `Referer` header, which is attacker-controllable — without
+  validation for any non-GET request that results in a session timeout.
+  An attacker who hosts a page with an auto-submitting cross-origin
+  form can cause a victim with an expired Devise session to be
+  redirected to an arbitrary external URL. This contrasts with the
+  GET timeout path (which uses server-side `attempted_path`) and
+  Devise's own `store_location_for` mechanism (which strips external
+  hosts via `extract_path_from_location`), both of which are protected;
+  only the non-GET timeout redirect path is unprotected.
+
+  ## Details
+
+  The vulnerable code is in `lib/devise/failure_app.rb`:
+
+  ```ruby
+  def redirect_url
+    if warden_message == :timeout
+      flash[:timedout] = true if is_flashing_format?
+
+      path = if request.get?
+        attempted_path          # safe: server-side value from warden options
+      else
+        request.referrer        # UNSAFE: HTTP Referer header, attacker-controlled
+      end
+
+      path || scope_url
+    else
+      scope_url
+    end
+  end
+  ```
+
+  This is passed directly to `redirect_to`:
+
+  ```ruby
+  def redirect
+    store_location!
+    # ...
+    redirect_to redirect_url   # redirect_url may be an external attacker URL
+  end
+  ```
+
+  The GET timeout path uses `attempted_path`, which is set server-side
+  by Warden and cannot be influenced by the client. The `store_location!`
+  method also only runs for GET requests, so no session-based protection
+  is applied on POST timeouts.
+
+  By contrast, Devise's `store_location_for` method (used elsewhere)
+  correctly sanitizes URLs via `extract_path_from_location`, which
+  strips the scheme and host.
+
+  ## Impact
+
+  - Victims with expired sessions who click any attacker-crafted link
+    or visit an attacker page with an auto-submitting form are redirected
+    to an arbitrary external URL.
+  - The redirect happens transparently via a trusted domain (the target
+    app's domain), bypassing browser phishing warnings.
+  - An attacker can redirect victims to a fake login page to harvest
+    credentials (phishing), or to malicious download sites.
+
+  _Note_: Rails' built-in open-redirect protection does not mitigate
+  this issue. `Devise::FailureApp` is an `ActionController::Metal`
+  app with its own isolated copy of the relevant redirect configuration,
+  so `config.action_controller.action_on_open_redirect = :raise` (and
+  the older `raise_on_open_redirects` setting) do not reach it.
+
+  ## Patches
+
+  This is patched in Devise v5.0.4. Users should upgrade as soon as possible.
+
+  ## Workaround
+
+  None beyond upgrading. If an upgrade is not immediately possible, the
+  same changes from the patch commit can be applied as a monkey-patch
+  in a Rails initializer (`Devise::FailureApp#redirect_url` and
+  `Devise::Controllers::StoreLocation#extract_path_from_location`).
+  Remove the monkey-patch after upgrading.
+cvss_v3: 6.1
+patched_versions:
+  - ">= 5.0.4"
+related:
+  url:
+    - https://www.cve.org/CVERecord?id=CVE-2026-40295
+    - https://github.com/heartcombo/devise/releases/tag/v5.0.4
+    - https://github.com/heartcombo/devise/blob/v5.0.4/CHANGELOG.md#504---2026-05-08
+    - https://github.com/heartcombo/devise/commit/9ea459de9aec5f1217ad738c58e0d23fb9f5beaa
+    - https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360
+    - https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv
+    - https://github.com/advisories/GHSA-jp94-3292-c3xv