Grantcox

**Name of the Vulnerable Software and Affected Versions** Devise versions prior to 5.0.3 **Description** Devise, an authentication solution for Rails based on Warden, contains a flaw in its Confirmable module. A race condition can occur when the `reconfirmable` option is enabled, allowing an attacker to confirm an email address they do not own. This happens by desynchronizing the `confirmation token` and `unconfirmed email` fields through concurrent email change requests. The `confirmation token` is sent to an attacker-controlled email, while the `unconfirmed email` in the database points to a victim's email address. Using the token then confirms the victim's email on the attacker's account. The vulnerable component is the `Confirmable` module. The vulnerable method is `postpone email change until confirmation and regenerate confirmation token()`. **Recommendations** Versions prior to 5.0.3 should be upgraded to version 5.0.3 or later. As a workaround, applications can override the `postpone email change until confirmation and regenerate confirmation token` method from Devise models to force `unconfirmed email` to be persisted when unchanged. For applications using Mongoid, implement a workaround similar to Devise by setting `changed attributes["unconfirmed email"] = nil` to ensure the attribute is persisted.