GHSA-jp94-3292-c3xv
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Details
## Summary
When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side `attempted_path`) and Devise's own `store_location_for` mechanism (which strips external hosts via `extract_path_from_location`), both of which are protected; only the non-GET timeout redirect path is unprotected.
## Details
The vulnerable code is in `lib/devise/failure_app.rb`:
```ruby def redirect_url if warden_message == :timeout flash[:timedout] = true if is_flashing_format?
path = if request.get? attempted_path # safe: server-side value from warden options else request.referrer # UNSAFE: HTTP Referer header, attacker-controlled end
path || scope_url else scope_url end end ```
This is passed directly to `redirect_to`:
```ruby def redirect store_location! # ... redirect_to redirect_url # redirect_url may be an external attacker URL end ```
The GET timeout path uses `attempted_path`, which is set server-side by Warden and cannot be influenced by the client. The `store_location!` method also only runs for GET requests, so no session-based protection is applied on POST timeouts.
By contrast, Devise's `store_location_for` method (used elsewhere) correctly sanitizes URLs via `extract_path_from_location`, which strips the scheme and host.
## Impact
- Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL. - The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings. - An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.
_Note_: Rails' built-in open-redirect protection does not mitigate this issue. `Devise::FailureApp` is an `ActionController::Metal` app with its own isolated copy of the relevant redirect configuration, so `config.action_controller.action_on_open_redirect = :raise` (and the older `raise_on_open_redirects` setting) do not reach it.
## Patches
This is patched in Devise v5.0.4. Users should upgrade as soon as possible.
## Workaround
None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (`Devise::FailureApp#redirect_url` and `Devise::Controllers::StoreLocation#extract_path_from_location`). Remove the monkey-patch after upgrading.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-40295 [ADVISORY]
- https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360 [WEB]
- https://github.com/heartcombo/devise [PACKAGE]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2026-40295.yml [WEB]