Platform
ruby
Component
spree_auth_devise
Fixed in
4.3.1
4.2.1
4.1.1
4.0.2
4.4.1
CVE-2021-41275 represents a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Spree Auth Devise versions up to 4.4.0. This vulnerability enables an attacker to potentially take over user accounts within applications utilizing the Spree Auth Devise frontend component. The vulnerability arises from a misconfiguration of the protectfromforgery method, and a fix is available in version 4.4.1.
The core impact of CVE-2021-41275 is complete user account takeover. An attacker can craft malicious requests that, if successful, allow them to perform actions on behalf of a logged-in user without their knowledge or consent. This includes actions such as changing passwords, updating profile information, placing orders (if the application supports e-commerce), or accessing sensitive data. The vulnerability's severity is amplified by the ease with which CSRF attacks can be launched – often requiring only a crafted link or image embedded in a malicious website or email. The combination of protectfromforgery being executed with specific configurations creates a perfect storm for exploitation.
CVE-2021-41275 was publicly disclosed on November 18, 2021. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and the relatively straightforward nature of CSRF attacks suggest a potential for exploitation. The vulnerability is not currently listed on CISA's KEV catalog. Public proof-of-concept exploits are available, increasing the risk of opportunistic attacks.
Exploit Status
EPSS
0.07% (23% percentile)
CVSS Vector
The primary mitigation for CVE-2021-41275 is to upgrade to Spree Auth Devise version 4.4.1 or higher. This version includes the necessary fixes to prevent the CSRF vulnerability. If upgrading immediately is not feasible, carefully review the configuration of protectfromforgery within your application. Ensure it's not configured to use :nullsession or :resetsession strategies unless absolutely necessary and fully understood. Consider implementing stricter CSRF protection measures, such as using custom CSRF tokens and validating them rigorously. Monitor application logs for suspicious requests that might indicate an attempted CSRF attack.
Update the spree_auth_devise gem to version 4.4.1 or higher for Spree 4.3 applications, to version 4.2.1 or higher for Spree 4.2 applications, to version 4.1.1 or higher for Spree 4.1 applications, or to version 4.0.1 or higher for older versions. Alternatively, change the CSRF protection strategy to :exception in your ApplicationController or in the Spree::UsersController.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-41275 is a critical Cross-Site Request Forgery (CSRF) vulnerability in Spree Auth Devise versions up to 4.4.0, allowing attackers to potentially take over user accounts.
You are affected if your application uses Spree Auth Devise version 4.4.0 or earlier and the protectfromforgery method is misconfigured.
Upgrade to Spree Auth Devise version 4.4.1 or higher. Review and correct the configuration of protectfromforgery if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the CRITICAL severity and availability of PoCs suggest a potential for exploitation.
Refer to the Spree Auth Devise GitHub repository for details and updates: https://github.com/spree/spree-auth-devise
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.