Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/spree_auth_devise@4.0.1
purl pkg:gem/spree_auth_devise@4.0.1
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-raed-358a-vqfn
Aliases:
CVE-2021-41275
GHSA-26xx-m4q2-xhq8
Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch đź‘Ź
4.1.1
Affected by 1 other vulnerability.
4.2.1
Affected by 1 other vulnerability.
4.4.1
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-3upb-sz3e-ayf6 Duplicate This advisory duplicates another. GHSA-gpqc-4pp7-5954
GMS-2021-174
VCID-raed-358a-vqfn Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch đź‘Ź CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T11:14:10.659787+00:00 GithubOSV Importer Fixing VCID-3upb-sz3e-ayf6 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-gpqc-4pp7-5954/GHSA-gpqc-4pp7-5954.json 38.6.0
2026-05-31T11:13:47.997093+00:00 GithubOSV Importer Fixing VCID-raed-358a-vqfn https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-26xx-m4q2-xhq8/GHSA-26xx-m4q2-xhq8.json 38.6.0
2026-05-31T10:17:30.656652+00:00 Ruby Importer Affected by VCID-raed-358a-vqfn https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml 38.6.0
2026-05-31T10:17:30.595320+00:00 Ruby Importer Fixing VCID-raed-358a-vqfn https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml 38.6.0
2026-05-31T00:53:59.896055+00:00 GHSA Importer Fixing VCID-3upb-sz3e-ayf6 https://github.com/advisories/GHSA-gpqc-4pp7-5954 38.6.0
2026-05-31T00:53:59.797200+00:00 GHSA Importer Fixing VCID-raed-358a-vqfn https://github.com/advisories/GHSA-26xx-m4q2-xhq8 38.6.0
2026-05-30T20:56:17.517579+00:00 GitLab Importer Fixing VCID-3upb-sz3e-ayf6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml 38.6.0
2026-05-30T20:56:17.437754+00:00 GitLab Importer Fixing VCID-raed-358a-vqfn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml 38.6.0