Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sxr8-kvnr-cycc
Vulnerability ID VCID-sxr8-kvnr-cycc
Aliases CVE-2021-41275
GHSA-26xx-m4q2-xhq8
Summary Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch đź‘Ź
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/spree/spree_auth_devise
https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63
CVE-2021-41275 https://nvd.nist.gov/vuln/detail/CVE-2021-41275
CVE-2021-41275.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml
GHSA-26xx-m4q2-xhq8 https://github.com/advisories/GHSA-26xx-m4q2-xhq8
GHSA-26xx-m4q2-xhq8 https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8
GHSA-6mqr-q86q-6gwr https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr
GHSA-8xfw-5q82-3652 https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652
GHSA-gpqc-4pp7-5954 https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954
GHSA-xm34-v85h-9pg2 https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:40:32.140868+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth_devise/CVE-2021-41275.yml 38.6.0