VulnerableCode Package Details - pkg:gem/spree_auth

Search for packages

Vulnerability	Summary	Fixed by
VCID-raed-358a-vqfn Aliases: CVE-2021-41275 GHSA-26xx-m4q2-xhq8	Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	4.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.4.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-raed-358a-vqfn
Aliases:
CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

4.2.1
Affected by 1 other vulnerability.

4.4.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-aqna-ee68-3fbr	Duplicate Advisory: Authentication Bypass by CSRF Weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	GHSA-8xfw-5q82-3652 GMS-2021-173
VCID-raed-358a-vqfn	Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	CVE-2021-41275 GHSA-26xx-m4q2-xhq8

Vulnerability

Summary

Aliases

VCID-aqna-ee68-3fbr

Duplicate Advisory: Authentication Bypass by CSRF Weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

GHSA-8xfw-5q82-3652
GMS-2021-173

VCID-raed-358a-vqfn

CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T11:14:11.141661+00:00	GithubOSV Importer	Fixing	VCID-aqna-ee68-3fbr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-8xfw-5q82-3652/GHSA-8xfw-5q82-3652.json	38.6.0
2026-05-31T11:13:47.938958+00:00	GithubOSV Importer	Fixing	VCID-raed-358a-vqfn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-26xx-m4q2-xhq8/GHSA-26xx-m4q2-xhq8.json	38.6.0
2026-05-31T10:17:30.662607+00:00	Ruby Importer	Fixing	VCID-raed-358a-vqfn	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-05-31T10:17:30.601657+00:00	Ruby Importer	Affected by	VCID-raed-358a-vqfn	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-05-31T00:53:59.866705+00:00	GHSA Importer	Fixing	VCID-aqna-ee68-3fbr	https://github.com/advisories/GHSA-8xfw-5q82-3652	38.6.0
2026-05-31T00:53:59.711112+00:00	GHSA Importer	Fixing	VCID-raed-358a-vqfn	https://github.com/advisories/GHSA-26xx-m4q2-xhq8	38.6.0
2026-05-30T20:56:17.433134+00:00	GitLab Importer	Fixing	VCID-raed-358a-vqfn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-05-30T20:56:17.332659+00:00	GitLab Importer	Fixing	VCID-aqna-ee68-3fbr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-8xfw-5q82-3652.yml	38.6.0