CVE-2026-40295

Name of the Vulnerable Software and Affected Versions Devise versions 5.0.3 and earlier

Description When the Timeoutable module is enabled, the FailureApp#redirect url method returns the request.referrer (the HTTP Referer header) without validation for any non-GET request that results in a session timeout. Because the HTTP Referer header is attacker-controllable, an attacker hosting a page with an auto-submitting cross-origin form can cause a victim with an expired session to be redirected to an arbitrary external URL. This occurs because the non-GET timeout redirect path is unprotected, unlike the GET timeout path which uses the server-side attempted path and the store location for mechanism which utilizes extract path from location to strip external hosts. This can be used for phishing or malware delivery by redirecting users from a trusted domain to an attacker-controlled site, bypassing browser warnings. Rails' built-in open-redirect protection does not mitigate this issue as Devise::FailureApp is an ActionController::Metal app with isolated redirect configuration.

Recommendations Update to version 5.0.4.