Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/spree_auth_devise@4.2.1
purl pkg:gem/spree_auth_devise@4.2.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-d5ng-uxkh-d3hb Duplicate This advisory duplicates another. GHSA-6mqr-q86q-6gwr
GMS-2021-172
VCID-sxr8-kvnr-cycc Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch đź‘Ź CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:40:32.399747+00:00 GitLab Importer Fixing VCID-d5ng-uxkh-d3hb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml 38.6.0
2026-06-02T04:40:32.210711+00:00 GitLab Importer Fixing VCID-sxr8-kvnr-cycc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml 38.6.0