PT-2026-39165 — Devise

PT-2026-39165 · Rubygems · Devise

Published

2026-05-08

Updated

2026-05-08

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

When the Timeoutable module is enabled in Devise, the FailureApp#redirect url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted path) and Devise's own store location for mechanism (which strips external hosts via extract path from location), both of which are protected; only the non-GET timeout redirect path is unprotected.

Details

The vulnerable code is in lib/devise/failure app.rb:

def redirect url
 if warden message == :timeout
  flash[:timedout] = true if is flashing format?

  path = if request.get?
   attempted path     # safe: server-side value from warden options
  else
   request.referrer    # UNSAFE: HTTP Referer header, attacker-controlled
  end

  path || scope url
 else
  scope url
 end
end

This is passed directly to redirect to:

def redirect
 store location!
 # ...
 redirect to redirect url  # redirect url may be an external attacker URL
end

The GET timeout path uses attempted path, which is set server-side by Warden and cannot be influenced by the client. The store location! method also only runs for GET requests, so no session-based protection is applied on POST timeouts.

By contrast, Devise's store location for method (used elsewhere) correctly sanitizes URLs via extract path from location, which strips the scheme and host.

Impact

Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL.
The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings.
An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.

Note : Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action controller.action on open redirect = :raise (and the older raise on open redirects setting) do not reach it.

Patches

This is patched in Devise v5.0.4. Users should upgrade as soon as possible.

Workaround

None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (Devise::FailureApp#redirect url and Devise::Controllers::StoreLocation#extract path from location). Remove the monkey-patch after upgrading.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

GHSA-JP94-3292-C3XV

Affected Products

Devise