Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/spree_auth_devise@4.0.1
purl pkg:gem/spree_auth_devise@4.0.1
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.5
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-sxr8-kvnr-cycc
Aliases:
CVE-2021-41275
GHSA-26xx-m4q2-xhq8
Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch đź‘Ź
4.1.1
Affected by 1 other vulnerability.
4.2.1
Affected by 1 other vulnerability.
4.4.1
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-sxr8-kvnr-cycc Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch đź‘Ź CVE-2021-41275
GHSA-26xx-m4q2-xhq8
VCID-uhpx-ssty-yucz Duplicate This advisory duplicates another. GHSA-gpqc-4pp7-5954
GMS-2021-174

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T18:12:37.156135+00:00 Ruby Importer Affected by VCID-sxr8-kvnr-cycc https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml 38.6.0
2026-06-04T18:12:37.028382+00:00 Ruby Importer Fixing VCID-sxr8-kvnr-cycc https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml 38.6.0
2026-06-04T17:33:21.242904+00:00 GithubOSV Importer Fixing VCID-uhpx-ssty-yucz https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-gpqc-4pp7-5954/GHSA-gpqc-4pp7-5954.json 38.6.0
2026-06-04T17:32:44.742840+00:00 GithubOSV Importer Fixing VCID-sxr8-kvnr-cycc https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-26xx-m4q2-xhq8/GHSA-26xx-m4q2-xhq8.json 38.6.0
2026-06-02T04:40:32.330558+00:00 GitLab Importer Fixing VCID-uhpx-ssty-yucz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml 38.6.0
2026-06-02T04:40:32.218971+00:00 GitLab Importer Fixing VCID-sxr8-kvnr-cycc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml 38.6.0