Skip to content

GHSA SYNC: 1 brand new advisory #897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 28, 2025
Merged

GHSA SYNC: 1 brand new advisory #897

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions gems/google_sign_in/CVE-2025-57821.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
gem: google_sign_in
cve: 2025-57821
ghsa: 7pwc-wh6m-44q3
url: https://github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3
title: Google Sign-In for Rails allowed redirects to malformed URLs
date: 2025-08-27
description: |
### Summary

It is possible to craft a malformed URL that passes the "same origin"
check, resulting in the user being redirected to another origin.

### Details

The google_sign_in gem persists an optional URL for redirection after
authentication. If this URL is malformed, it's possible for the user
to be redirected to another origin after authentication, possibly
resulting in exposure of authentication information such as the token.

Normally the value of this URL is only written and read by the library.
If applications are configured to store session information in a
database, there is no known vector to exploit this vulnerability.
However, applications may be configured to store this information
in a session cookie, in which case it may be chained with a session
cookie attack to inject a crafted URL.

### Impact

Rails applications configured to store the `flash` information in
a session cookie may be vulnerable, if this can be chained with an
attack that allows injection of arbitrary data into the session cookie.

### Workarounds

If you are unable to upgrade this library, then you may mitigate
the chained attack by explicitly setting `SameSite=Lax` or
`SameSite=Strict` on the application session cookie.

### Credits

This issue was responsibly reported by Hackerone user
[muntrive](https://hackerone.com/muntrive?type=user).
cvss_v3: 4.2
patched_versions:
- ">= 1.3.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-57821
- https://github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3
- https://github.com/basecamp/google_sign_in/releases/tag/v1.3.0
- https://github.com/basecamp/google_sign_in/commit/a0548a604fb17e4eb1a57029f0d87e34e8499623
- https://github.com/basecamp/google_sign_in/pull/73
- https://github.com/basecamp/google_sign_in/commit/85903651201257d4f14b97d4582e6d968ac32f15
- https://github.com/advisories/GHSA-7pwc-wh6m-44q3