|
| 1 | +--- |
| 2 | +gem: google_sign_in |
| 3 | +cve: 2025-57821 |
| 4 | +ghsa: 7pwc-wh6m-44q3 |
| 5 | +url: https://github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3 |
| 6 | +title: Google Sign-In for Rails allowed redirects to malformed URLs |
| 7 | +date: 2025-08-27 |
| 8 | +description: | |
| 9 | + ### Summary |
| 10 | +
|
| 11 | + It is possible to craft a malformed URL that passes the "same origin" |
| 12 | + check, resulting in the user being redirected to another origin. |
| 13 | +
|
| 14 | + ### Details |
| 15 | +
|
| 16 | + The google_sign_in gem persists an optional URL for redirection after |
| 17 | + authentication. If this URL is malformed, it's possible for the user |
| 18 | + to be redirected to another origin after authentication, possibly |
| 19 | + resulting in exposure of authentication information such as the token. |
| 20 | +
|
| 21 | + Normally the value of this URL is only written and read by the library. |
| 22 | + If applications are configured to store session information in a |
| 23 | + database, there is no known vector to exploit this vulnerability. |
| 24 | + However, applications may be configured to store this information |
| 25 | + in a session cookie, in which case it may be chained with a session |
| 26 | + cookie attack to inject a crafted URL. |
| 27 | +
|
| 28 | + ### Impact |
| 29 | +
|
| 30 | + Rails applications configured to store the `flash` information in |
| 31 | + a session cookie may be vulnerable, if this can be chained with an |
| 32 | + attack that allows injection of arbitrary data into the session cookie. |
| 33 | +
|
| 34 | + ### Workarounds |
| 35 | +
|
| 36 | + If you are unable to upgrade this library, then you may mitigate |
| 37 | + the chained attack by explicitly setting `SameSite=Lax` or |
| 38 | + `SameSite=Strict` on the application session cookie. |
| 39 | +
|
| 40 | + ### Credits |
| 41 | +
|
| 42 | + This issue was responsibly reported by Hackerone user |
| 43 | + [muntrive](https://hackerone.com/muntrive?type=user). |
| 44 | +cvss_v3: 4.2 |
| 45 | +patched_versions: |
| 46 | + - ">= 1.3.0" |
| 47 | +related: |
| 48 | + url: |
| 49 | + - https://nvd.nist.gov/vuln/detail/CVE-2025-57821 |
| 50 | + - https://github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3 |
| 51 | + - https://github.com/basecamp/google_sign_in/releases/tag/v1.3.0 |
| 52 | + - https://github.com/basecamp/google_sign_in/commit/a0548a604fb17e4eb1a57029f0d87e34e8499623 |
| 53 | + - https://github.com/basecamp/google_sign_in/pull/73 |
| 54 | + - https://github.com/basecamp/google_sign_in/commit/85903651201257d4f14b97d4582e6d968ac32f15 |
| 55 | + - https://github.com/advisories/GHSA-7pwc-wh6m-44q3 |
0 commit comments