{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40295", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-05-22T19:10:57.039Z", "dateUpdated": "2026-05-22T19:10:57.039Z"}, "containers": {"cna": {"title": "Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv"}, {"name": "https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360", "tags": ["x_refsource_MISC"], "url": "https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360"}], "affected": [{"vendor": "heartcombo", "product": "devise", "versions": [{"version": "< 5.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-22T19:10:57.039Z"}, "descriptions": [{"lang": "en", "value": "Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer \u2014 the HTTP Referer header, which is attacker-controllable \u2014 without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4."}], "source": {"advisory": "GHSA-jp94-3292-c3xv", "discovery": "UNKNOWN"}}}}

{}

{}

{}

{}