Vampire000

**Name of the Vulnerable Software and Affected Versions** solidus auth devise versions prior to 2.5.4 **Description** The issue is a CSRF vulnerability that allows user account takeover. It affects applications using any version of the frontend component of `solidus auth devise` if the `protect from forgery` method is executed as a `before action` callback or a `prepend before action` before the `:load object` hook in `Spree::UserController`, and is configured to use `:null session` or `:reset session` strategies. **Recommendations** To resolve the issue, update to `solidus auth devise` version 2.5.4. If updating is not possible, change the strategy to `:exception` by adding `protect from forgery with: :exception` to the ApplicationController. Alternatively, add `config.after initialize do Spree::UsersController.protect from forgery with: :exception end` to `config/application.rb` to run the `:exception` strategy on the affected controller.