VulnerableCode Package Details - pkg:gem/spree_auth

Search for packages

Vulnerability	Summary	Fixed by
VCID-d5ng-uxkh-d3hb Aliases: GHSA-6mqr-q86q-6gwr GMS-2021-172	Duplicate This advisory duplicates another.	4.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-sxr8-kvnr-cycc Aliases: CVE-2021-41275 GHSA-26xx-m4q2-xhq8	Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏	4.2.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.4.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-d5ng-uxkh-d3hb
Aliases:
GHSA-6mqr-q86q-6gwr
GMS-2021-172

Duplicate This advisory duplicates another.

4.2.1
Affected by 1 other vulnerability.

VCID-sxr8-kvnr-cycc
Aliases:
CVE-2021-41275
GHSA-26xx-m4q2-xhq8

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch 👏

4.2.1
Affected by 1 other vulnerability.

4.4.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:12:37.043450+00:00	Ruby Importer	Affected by	VCID-sxr8-kvnr-cycc	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml	38.6.0
2026-06-04T17:32:42.480674+00:00	GithubOSV Importer	Affected by	VCID-d5ng-uxkh-d3hb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mqr-q86q-6gwr/GHSA-6mqr-q86q-6gwr.json	38.6.0
2026-06-02T04:40:32.393387+00:00	GitLab Importer	Affected by	VCID-d5ng-uxkh-d3hb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml	38.6.0
2026-06-02T04:40:32.173993+00:00	GitLab Importer	Affected by	VCID-sxr8-kvnr-cycc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml	38.6.0