CVE-2026-40295
MEDIUM6.1EPSS 0.07%Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Description
## Summary When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side `attempted_path`) and Devise's own `store_location_for` mechanism (which strips external hosts via `extract_path_from_location`), both of which are protected; only the non-GET timeout redirect path is unprotected. ## Details The vulnerable code is in `lib/devise/failure_app.rb`: ```ruby def redirect_url if warden_message == :timeout flash[:timedout] = true if is_flashing_format? path = if request.get? attempted_path # safe: server-side value from warden options else request.referrer # UNSAFE: HTTP Referer header, attacker-controlled end path || scope_url else scope_url end end ``` This is passed directly to `redirect_to`: ```ruby def redirect store_location! # ... redirect_to redirect_url # redirect_url may be an external attacker URL end ``` The GET timeout path uses `attempted_path`, which is set server-side by Warden and cannot be influenced by the client. The `store_location!` method also only runs for GET requests, so no session-based protection is applied on POST timeouts. By contrast, Devise's `store_location_for` method (used elsewhere) correctly sanitizes URLs via `extract_path_from_location`, which strips the scheme and host. ## Impact - Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL. - The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings. - An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites. _Note_: Rails' built-in open-redirect protection does not mitigate this issue. `Devise::FailureApp` is an `ActionController::Metal` app with its own isolated copy of the relevant redirect configuration, so `config.action_controller.action_on_open_redirect = :raise` (and the older `raise_on_open_redirects` setting) do not reach it. ## Patches This is patched in Devise v5.0.4. Users should upgrade as soon as possible. ## Workaround None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (`Devise::FailureApp#redirect_url` and `Devise::Controllers::StoreLocation#extract_path_from_location`). Remove the monkey-patch after upgrading.
Affected packages (2)
- Debian/ruby-devisefrom 0
- RubyGems/devisefrom 0, < 5.0.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40295
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-40295
- PATCHhttps://github.com/heartcombo/devise
- WEBhttps://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360
- WEBhttps://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2026-40295.yml