CVE-2026-40295
published 2026-05-22CVE-2026-40295: Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the…
PriorityP431medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
15.1th percentile
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| heartcombo | devise | < 5.0.4 | 5.0.4 |
| heartcombo | devise | < 5.0.4 | 5.0.4 |
| plataformatec | devise | >= 0 < 5.0.4 | 5.0.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvelistv5v3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
heartcombo devise up to 5.0.3 Timeoutable FailureApp#redirect_url (GHSA-jp94-3292-c3xv)
vuldb·2026-05-23
CVE-2026-40295 [LOW] heartcombo devise up to 5.0.3 Timeoutable FailureApp#redirect_url (GHSA-jp94-3292-c3xv)
A vulnerability identified as problematic has been detected in heartcombo devise up to 5.0.3. This vulnerability affects the function FailureApp#redirect_url of the component Timeoutable Module. This manipulation causes open redirect.
The identification of this vulnerability is CVE-2026-40295. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
CVEList
Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
cvelistv5·2026-05-22·CVSS 6.1
CVE-2026-40295 [MEDIUM] CWE-601 Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both
GHSA
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
ghsa·2026-05-08
CVE-2026-40295 [MEDIUM] CWE-601 Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
## Summary
When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side `attempted_path`) and Devise's own `store_location_for` mechanism (which strips external hosts via `extract_path_from_location`), both of which are protected; only the non-GET timeout redirect pat
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published