VulnerableCode Package Details - pkg:gem/spree_auth

Search for packages

Vulnerability	Summary	Fixed by
VCID-sxr8-kvnr-cycc Aliases: CVE-2021-41275 GHSA-26xx-m4q2-xhq8	Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	4.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.4.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-sxr8-kvnr-cycc
Aliases:
CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

4.2.1
Affected by 1 other vulnerability.

4.4.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-sxr8-kvnr-cycc	Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	CVE-2021-41275 GHSA-26xx-m4q2-xhq8
VCID-t26w-a5ak-9qgk	Duplicate Advisory: Authentication Bypass by CSRF Weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	GHSA-8xfw-5q82-3652 GMS-2021-173

Vulnerability

Summary

Aliases

VCID-sxr8-kvnr-cycc

CVE-2021-41275
GHSA-26xx-m4q2-xhq8

VCID-t26w-a5ak-9qgk

Duplicate Advisory: Authentication Bypass by CSRF Weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

GHSA-8xfw-5q82-3652
GMS-2021-173

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:15:41.594620+00:00	GHSA Importer	Fixing	VCID-t26w-a5ak-9qgk	https://github.com/advisories/GHSA-8xfw-5q82-3652	38.6.0
2026-06-05T21:15:41.076076+00:00	GHSA Importer	Fixing	VCID-sxr8-kvnr-cycc	https://github.com/advisories/GHSA-26xx-m4q2-xhq8	38.6.0
2026-06-04T18:12:37.167801+00:00	Ruby Importer	Fixing	VCID-sxr8-kvnr-cycc	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-06-04T18:12:37.039675+00:00	Ruby Importer	Affected by	VCID-sxr8-kvnr-cycc	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-06-04T17:33:21.888573+00:00	GithubOSV Importer	Fixing	VCID-t26w-a5ak-9qgk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-8xfw-5q82-3652/GHSA-8xfw-5q82-3652.json	38.6.0
2026-06-04T17:32:44.676725+00:00	GithubOSV Importer	Fixing	VCID-sxr8-kvnr-cycc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-26xx-m4q2-xhq8/GHSA-26xx-m4q2-xhq8.json	38.6.0
2026-06-02T04:40:32.214437+00:00	GitLab Importer	Fixing	VCID-sxr8-kvnr-cycc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-06-02T04:40:32.106917+00:00	GitLab Importer	Fixing	VCID-t26w-a5ak-9qgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-8xfw-5q82-3652.yml	38.6.0