9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41275

GHSA ID

GHSA-26xx-m4q2-xhq8

EPSS Score

0.32948%

CWE

CWE-352

Published

11/18/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41275

CVE-2021-41275: Authentication Bypass by CSRF Weakness

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

Executed whether as:
- A before_action callback (the default)
- A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rb to at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

(GitHub Advisory)

9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41275

GHSA ID

GHSA-26xx-m4q2-xhq8

EPSS Score

0.32948%

CWE

CWE-352

Published

11/18/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
spree_auth_devise	rubygems	>= 4.3.0, < 4.4.1	4.4.1
spree_auth_devise	rubygems	>= 4.2.0, < 4.2.1	4.2.1
spree_auth_devise	rubygems	>= 4.1.0, < 4.1.1	4.1.1
spree_auth_devise	rubygems	< 4.0.1	4.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from callback execution order. The original code used prepend_before_action to load user objects before CSRF validation. This is critical because:

When using :null_session/reset_session strategies, session data gets cleared AFTER user loading
The user object remained valid even with invalid CSRF tokens
Update actions could proceed with the pre-loaded user object
The patch moved load_object into individual actions AFTER CSRF protection Commit diff shows removal of prepend_before_action and explicit load_object calls in actions, confirming the execution order was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *SR* vuln*r**ility t**t *llows us*r ***ount t*k*ov*r. *ll *ppli**tions usin* *ny v*rsion o* t** *ront*n* *ompon*nt o* `spr**_*ut*_**vis*` *r* *****t** i* `prot**t_*rom_*or**ry` m*t*o* is *ot*: * *x**ut** w**t**r *s: * * ***or*_**tion

Reasoning

T** vuln*r**ility st*ms *rom **ll***k *x**ution or**r. T** ori*in*l *o** us** pr*p*n*_***or*_**tion to lo** us*r o*j**ts ***or* *SR* v*li**tion. T*is is *riti**l ****us*: *. W**n usin* :null_s*ssion/r*s*t_s*ssion str*t**i*s, s*ssion **t* **ts *l**r**

9.3

Basic Information

Concerned about an active attack path?

CVE-2021-41275: Authentication Bypass by CSRF Weakness

Impact

Patches

Workarounds

References

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI