{"url":"http://public2.vulnerablecode.io/api/packages/160290?format=json","purl":"pkg:gem/spree_auth_devise@4.0.0","type":"gem","namespace":"","name":"spree_auth_devise","version":"4.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14341?format=json","vulnerability_id":"VCID-raed-358a-vqfn","summary":"Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n* A before_action callback (the default)\n* A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).\n* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).\n\nThat means that applications that haven't been configured differently from what it's generated with Rails aren't affected.\n\nThanks @waiting-for-dev for reporting and providing a patch 👏","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41275","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2263","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41275"},{"reference_url":"https://github.com/spree/spree_auth_devise","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spree/spree_auth_devise"},{"reference_url":"https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41275","reference_id":"CVE-2021-41275","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41275"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml","reference_id":"CVE-2021-41275.YML","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml"},{"reference_url":"https://github.com/advisories/GHSA-26xx-m4q2-xhq8","reference_id":"GHSA-26xx-m4q2-xhq8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26xx-m4q2-xhq8"},{"reference_url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8","reference_id":"GHSA-26xx-m4q2-xhq8","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"},{"reference_url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr","reference_id":"GHSA-6mqr-q86q-6gwr","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr"},{"reference_url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652","reference_id":"GHSA-8xfw-5q82-3652","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652"},{"reference_url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954","reference_id":"GHSA-gpqc-4pp7-5954","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954"},{"reference_url":"https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2","reference_id":"GHSA-xm34-v85h-9pg2","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58570?format=json","purl":"pkg:gem/spree_auth_devise@4.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-raed-358a-vqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58565?format=json","purl":"pkg:gem/spree_auth_devise@4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-raed-358a-vqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58569?format=json","purl":"pkg:gem/spree_auth_devise@4.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-raed-358a-vqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58568?format=json","purl":"pkg:gem/spree_auth_devise@4.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-raed-358a-vqfn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.4.1"}],"aliases":["CVE-2021-41275","GHSA-26xx-m4q2-xhq8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-raed-358a-vqfn"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.0.0"}