PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40295 heartcombo CVE debrief

## Summary Devise versions ≤5.0.3 contain an open-redirect vulnerability in the Timeoutable module. When a non-GET request triggers a session timeout, `FailureApp#redirect_url` returns the attacker-controllable HTTP Referer header without validation, enabling silent cross-origin redirects to arbitrary external URLs. This bypasses Rails' built-in open-redirect protections because `Devise::FailureApp` is an isolated `ActionController::Metal` app with its own configuration. ## Technical Details - **Affected Component**: `Devise::FailureApp#redirect_url` method when Timeoutable is enabled - **Root Cause**: The method returns `request.referrer` (HTTP Referer header) for non-GET timeout redirects without sanitization - **Protected Paths**: GET timeout redirects use server-side `attempted_path`; Devise's `store_location_for` uses `extract_path_from_location` to strip external hosts - **Bypass Mechanism**: Rails' `config.action_controller.action_on_open_redirect` and `raise_on_open_redirects` settings do not affect `Devise::FailureApp` due to its isolated `ActionController::Metal` implementation ## Attack Scenario An attacker hosts a page with an auto-submitting cross-origin form. When a victim with an expired Devise session submits a non-GET request, they are silently redirected to an attacker-controlled URL without browser warnings, enabling phishing and malware delivery. ## Affected Versions - **Vulnerable**: Devise ≤5.0.3 - **Fixed**: Devise 5.0.4 ## CVSS 3.1 Score **6.1 (MEDIUM)** — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ## Detection Guidance - Review application logs for unexpected external redirects following 401/403 responses on non-GET requests - Monitor for anomalous Referer headers in timeout scenarios - Audit Devise version in `Gemfile.lock` ## Remediation Upgrade to Devise 5.0.4 or later. The fix commit validates or sanitizes the redirect URL before returning it in timeout scenarios. ## References - GitHub Security Advisory: GHSA-jp94-3292-c3xv - Fix commit: 025fe2124f9928766fc46520e999633b598d0360

Vendor
heartcombo
Product
devise
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-26
Advisory published
2026-05-22
Advisory updated
2026-05-26

Who should care

Ruby on Rails application developers and security teams using Devise for authentication, particularly those with Timeoutable enabled in production environments. Organizations with user-facing applications where session timeouts occur during form submissions.

Technical summary

The Devise authentication library's Timeoutable module in versions ≤5.0.3 fails to validate the HTTP Referer header when handling non-GET request timeouts, returning it directly as a redirect target. This creates an open-redirect vulnerability that bypasses Rails' native protections due to Devise::FailureApp's isolated ActionController::Metal implementation. Attackers can exploit this via auto-submitting cross-origin forms to silently redirect expired-session users to malicious URLs.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Devise to version 5.0.4 or later
  • Verify Timeoutable module configuration does not rely on referrer-based redirects
  • Review application redirect flows for unexpected external URL handling
  • Monitor authentication logs for anomalous redirect patterns following session timeouts
  • Audit dependency management processes to ensure timely security patch adoption

Evidence notes

Vulnerability description and technical details sourced from NVD record and GitHub Security Advisory. CVSS vector and score from NVD. Fix version and commit hash from GitHub advisory reference.

Official resources

2026-05-22