VulnerableCode Package Details - pkg:gem/google_sign

Search for packages

Vulnerability	Summary	Fixed by
VCID-j8qu-1q3k-r3gp Aliases: CVE-2025-57821 GHSA-7pwc-wh6m-44q3	Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie. This issue has been patched in version 1.3.0. If upgrading is not possible at this time, a way to mitigate the chained attack can be done by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie.	1.3.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-sckd-vak1-bkam Aliases: CVE-2025-58067 GHSA-5jch-xhw4-r43v	Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been patched in version 1.3.1. There are no workarounds.	1.3.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-j8qu-1q3k-r3gp
Aliases:
CVE-2025-57821
GHSA-7pwc-wh6m-44q3

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie. This issue has been patched in version 1.3.0. If upgrading is not possible at this time, a way to mitigate the chained attack can be done by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie.

1.3.0
Affected by 1 other vulnerability.

VCID-sckd-vak1-bkam
Aliases:
CVE-2025-58067
GHSA-5jch-xhw4-r43v

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been patched in version 1.3.1. There are no workarounds.

1.3.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T09:26:43.798634+00:00	Ruby Importer	Affected by	VCID-sckd-vak1-bkam	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google_sign_in/CVE-2025-58067.yml	38.6.0
2026-06-13T09:26:43.386581+00:00	Ruby Importer	Affected by	VCID-j8qu-1q3k-r3gp	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google_sign_in/CVE-2025-57821.yml	38.6.0
2026-06-12T20:14:51.850592+00:00	GitLab Importer	Affected by	VCID-sckd-vak1-bkam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/google_sign_in/CVE-2025-58067.yml	38.6.0
2026-06-12T20:13:35.647611+00:00	GitLab Importer	Affected by	VCID-j8qu-1q3k-r3gp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/google_sign_in/CVE-2025-57821.yml	38.6.0