VulnerableCode Package Details - pkg:gem/spree_auth

Search for packages

Vulnerability	Summary	Fixed by
VCID-sxr8-kvnr-cycc Aliases: CVE-2021-41275 GHSA-26xx-m4q2-xhq8	Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	4.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.4.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-t26w-a5ak-9qgk Aliases: GHSA-8xfw-5q82-3652 GMS-2021-173	Duplicate Advisory: Authentication Bypass by CSRF Weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	4.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-sxr8-kvnr-cycc
Aliases:
CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

4.1.1
Affected by 1 other vulnerability.

4.2.1
Affected by 1 other vulnerability.

4.4.1
Affected by 1 other vulnerability.

VCID-t26w-a5ak-9qgk
Aliases:
GHSA-8xfw-5q82-3652
GMS-2021-173

Duplicate Advisory: Authentication Bypass by CSRF Weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

4.1.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:12:37.035540+00:00	Ruby Importer	Affected by	VCID-sxr8-kvnr-cycc	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-06-04T17:33:21.885041+00:00	GithubOSV Importer	Affected by	VCID-t26w-a5ak-9qgk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-8xfw-5q82-3652/GHSA-8xfw-5q82-3652.json	38.6.0
2026-06-02T04:40:32.169372+00:00	GitLab Importer	Affected by	VCID-sxr8-kvnr-cycc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-06-02T04:40:32.099564+00:00	GitLab Importer	Affected by	VCID-t26w-a5ak-9qgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-8xfw-5q82-3652.yml	38.6.0