CVE-2021-25973: Publify `guest` role users can self-register even when the admin does not allow it
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.37378%
CWE
Published
11/3/2021
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
publify_core | rubygems | >= 9.0.0.pre1, < 9.2.5 | 9.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from Publify's failure to implement backend authorization checks for user registration. The patch introduced a custom RegistrationsController (users/registrations_controller.rb) with a require_signup_allowed
before_action to validate this_blog.allow_signup?
. Prior to this fix, Publify used Devise's default controller, which lacked this check. The routes.rb configuration (using devise_for :users
without overriding the controller) exposed the unprotected registration endpoint, making Devise::RegistrationsController#create the entry point for unauthorized registrations.