CVE-2025-58067 is a medium-severity vulnerability classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect) found in the Basecamp google_sign_in Ruby gem, which integrates Google Sign-In functionality into Rails applications. The vulnerability affects versions prior to 1.3.1. The issue arises because the gem stores a "proceed_to" URL value in the session store, which is intended to be a protocol-relative URL used internally by the library or the calling application to redirect users after authentication. However, it is possible for an attacker to set this session value from a malicious site via a form submission, effectively injecting a redirect URL to an untrusted external origin. This can lead to an open redirect scenario if the attacker can chain this with another attack that modifies OAuth2 request parameters, potentially redirecting users to malicious sites after sign-in. The vulnerability requires user interaction (e.g., clicking a crafted link or submitting a form) and has a high attack complexity, as it depends on chaining with another exploit to modify OAuth2 parameters. The CVSS 3.1 base score is 4.2 (medium), reflecting low confidentiality and integrity impact, no availability impact, no privileges required, and user interaction needed. No known exploits are currently in the wild, and the issue was patched in version 1.3.1 of the gem. There are no known workarounds, so upgrading is the only effective remediation. This vulnerability primarily affects Rails applications using the vulnerable versions of the google_sign_in gem, potentially exposing their users to phishing or redirection attacks that could lead to credential theft or session hijacking if combined with other vulnerabilities.

For European organizations, this vulnerability poses a risk primarily to web applications built on Ruby on Rails that use the google_sign_in gem for Google authentication. The open redirect can be exploited to redirect users to malicious sites, facilitating phishing attacks or social engineering campaigns. While the direct impact on confidentiality and integrity is low, the chained exploitation potential could lead to credential compromise or session hijacking, especially in environments where OAuth2 parameters can be manipulated. This could affect user trust, lead to data breaches, and cause reputational damage. Organizations in sectors with high reliance on web authentication, such as finance, healthcare, and government services, may face increased risk. The medium severity and absence of known exploits suggest a moderate immediate threat, but the vulnerability should be addressed promptly to prevent exploitation in targeted attacks. Compliance with GDPR and other data protection regulations may require timely patching to avoid penalties related to user data compromise.

The primary and only effective mitigation is to upgrade the google_sign_in gem to version 1.3.1 or later, where the vulnerability has been patched. Organizations should audit their Rails applications to identify usage of the vulnerable gem versions. Additionally, developers should implement strict validation and sanitization of any redirect URLs stored in sessions or passed as parameters, ensuring only trusted origins are allowed. Employing Content Security Policy (CSP) headers can help mitigate the impact of malicious redirects by restricting where scripts and navigations can occur. Monitoring OAuth2 request parameters for unexpected modifications and implementing anomaly detection on authentication flows can help detect exploitation attempts. User education to recognize phishing attempts leveraging open redirects is also recommended. Finally, organizations should review their session management and OAuth2 implementation to minimize the risk of chaining attacks that could exploit this vulnerability.