Description
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4.
Published: 2026-05-22
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Devise 5.0.3 and older, the Timeoutable module turns an expired session into a redirect that uses the HTTP Referer header exactly as received. Because this header is supplied by the browser and can be crafted by an attacker, the redirect URL can point to any external site. The vulnerability only triggers for non-GET requests that result in a timeout. Unlike the GET-based redirect path, it does not filter or validate the target, making it a classic Open Redirect (CWE‑601). An attacker can host a page with an auto-submitting form to trick a logged-out user into being redirected to a phishing or malware site, bypassing browser warnings.

Affected Systems

The flaw affects any Rails application that employs the heartcombo:devise authentication library version 5.0.3 or earlier with the Timeoutable module enabled. All users experiencing expired sessions in those deployments are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the issue is not listed in CISA’s KEV catalog. Because the vulnerability requires an expired session and a non-GET request, an attacker would need to drive the victim to such a request—typically via a cross-origin form or controlled link. However, the attack can be executed purely through a web page, yielding phishing and malware delivery without requiring additional infrastructure. While exploitation probability is not quantified (EPSS unavailable), the potential for widespread phishing makes timely remediation advisable.

Generated by OpenCVE AI on May 22, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devise to version 5.0.4 or newer.
  • If an upgrade is not feasible, remove or disable the Timeoutable module to eliminate the vulnerable redirect path.
  • When redirecting after a timeout, ensure the target URL is validated or constrained to the internal domain, for example by using store_location_for or by checking the host component before performing the redirect.

Generated by OpenCVE AI on May 22, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jp94-3292-c3xv Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
History

Fri, 22 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Heartcombo
Heartcombo devise
Vendors & Products Heartcombo
Heartcombo devise

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4.
Title Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Heartcombo Devise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T19:10:57.039Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40295

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T22:00:11Z

Weaknesses