-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| spree | rubygems | < 0.4.0 | 0.4.0 |
RubyRubyMiggo AIRoot Cause AnalysisThe vulnerability stems from Spree's installation generator including a hardcoded session secret in the Rails environment configuration file (config/environment.rb). This file is generated automatically when creating a new Spree app, and the static secret value is embedded directly in the template. The lack of a unique secret undermines session cookie security. The patched versions (≥0.4.0) likely modified the generator to enforce unique secret generation. The environment.rb template in the generator is the root cause, as it introduced the hardcoded value into applications.
Ongoing coverage of React2Shell