CVE-2025-58067 is a medium-severity vulnerability classified as CWE-601 (URL Redirection to Untrusted Site, also known as an Open Redirect) affecting the Basecamp google_sign_in gem used in Ruby on Rails applications. This gem facilitates Google Sign-In integration for Rails apps. The vulnerability exists in versions prior to 1.3.1, where the "proceed_to" value stored in the session can be set to a protocol-relative URL, allowing an attacker to redirect users to arbitrary external origins. Normally, this session value is managed internally by the library or the hosting application, but it may be manipulated via a form submission from a malicious site. Exploitation requires chaining this open redirect with another attack vector capable of modifying OAuth2 request parameters, which increases the complexity of exploitation. The vulnerability does not require authentication but does require user interaction (e.g., clicking a crafted link or submitting a form). The CVSS 3.1 base score is 4.2 (medium), reflecting network attack vector, high attack complexity, no privileges required, user interaction required, and low impact on confidentiality and integrity, with no impact on availability. No known exploits are currently reported in the wild. The issue was patched in version 1.3.1 of the google_sign_in gem, and no workarounds exist, so upgrading is mandatory to remediate the risk.

For European organizations using Ruby on Rails applications that integrate Google Sign-In via the vulnerable versions of the basecamp google_sign_in gem, this vulnerability could enable attackers to redirect users to malicious websites. This could facilitate phishing attacks, credential theft, or drive-by downloads by exploiting user trust in the legitimate application domain. Although the direct impact on confidentiality and integrity is rated low, the open redirect can be a critical component in multi-stage attacks, especially if combined with other OAuth2 parameter manipulation vulnerabilities. This could lead to unauthorized access or session hijacking in worst-case scenarios. The impact is particularly relevant for sectors with high reliance on web applications for user authentication, such as financial services, e-government portals, and healthcare providers in Europe. The lack of known exploits reduces immediate risk, but the presence of this vulnerability in widely used authentication components necessitates prompt remediation to prevent potential exploitation.

The only effective mitigation is to upgrade the google_sign_in gem to version 1.3.1 or later, where the vulnerability has been patched. Since no workarounds exist, organizations should prioritize dependency management and patching processes to ensure timely updates. Additionally, developers should audit OAuth2 request parameter handling to prevent manipulation that could be chained with this open redirect. Implementing strict validation and whitelisting of redirect URLs within the application can further reduce risk. Web application firewalls (WAFs) can be configured to detect and block suspicious redirect patterns or unusual OAuth2 parameter modifications. User education on phishing risks and monitoring for unusual authentication flows can also help mitigate exploitation attempts. Finally, organizations should conduct security testing and code reviews focusing on session management and redirect handling in authentication flows.