CVE-2026-40295: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in heartcombo devise
CVE-2026-40295 is an open redirect vulnerability in the Devise authentication solution for Rails versions 5. 0. 3 and below when the Timeoutable module is enabled. The vulnerability occurs because the FailureApp#redirect_url method returns the HTTP Referer header without validation for non-GET requests that result in a session timeout. This allows attackers to redirect expired-session users to arbitrary external URLs, potentially facilitating phishing or malware delivery. The issue does not affect the GET timeout path or Devise's store_location_for mechanism, which have protections against external redirects. The vulnerability has been fixed in Devise version 5. 0. 4. The CVSS score is 6.
AI Analysis
Technical Summary
In Devise versions prior to 5.0.4 with the Timeoutable module enabled, the FailureApp#redirect_url method uses the attacker-controllable HTTP Referer header for non-GET requests after session timeout without validation, enabling open redirect attacks. This bypasses Rails' built-in open-redirect protections because Devise::FailureApp operates with isolated redirect configuration. The vulnerability allows redirection of users with expired sessions to attacker-controlled external URLs, increasing risk of phishing and malware delivery. The issue is resolved in version 5.0.4.
Potential Impact
An attacker can cause users with expired sessions to be redirected silently from the trusted application domain to arbitrary external URLs controlled by the attacker. This can facilitate phishing attacks or malware distribution by bypassing browser warnings related to redirects. The confidentiality and integrity impact is low, as the vulnerability does not grant direct access to data or system control, but it can lead to user deception and indirect compromise.
Mitigation Recommendations
Upgrade Devise to version 5.0.4 or later, where this open redirect vulnerability is fixed. Until upgrading, be aware that the non-GET timeout redirect path is unprotected and can be exploited. No other official or temporary fixes are documented. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 5.0.4.
CVE-2026-40295: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in heartcombo devise
Description
CVE-2026-40295 is an open redirect vulnerability in the Devise authentication solution for Rails versions 5. 0. 3 and below when the Timeoutable module is enabled. The vulnerability occurs because the FailureApp#redirect_url method returns the HTTP Referer header without validation for non-GET requests that result in a session timeout. This allows attackers to redirect expired-session users to arbitrary external URLs, potentially facilitating phishing or malware delivery. The issue does not affect the GET timeout path or Devise's store_location_for mechanism, which have protections against external redirects. The vulnerability has been fixed in Devise version 5. 0. 4. The CVSS score is 6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Devise versions prior to 5.0.4 with the Timeoutable module enabled, the FailureApp#redirect_url method uses the attacker-controllable HTTP Referer header for non-GET requests after session timeout without validation, enabling open redirect attacks. This bypasses Rails' built-in open-redirect protections because Devise::FailureApp operates with isolated redirect configuration. The vulnerability allows redirection of users with expired sessions to attacker-controlled external URLs, increasing risk of phishing and malware delivery. The issue is resolved in version 5.0.4.
Potential Impact
An attacker can cause users with expired sessions to be redirected silently from the trusted application domain to arbitrary external URLs controlled by the attacker. This can facilitate phishing attacks or malware distribution by bypassing browser warnings related to redirects. The confidentiality and integrity impact is low, as the vulnerability does not grant direct access to data or system control, but it can lead to user deception and indirect compromise.
Mitigation Recommendations
Upgrade Devise to version 5.0.4 or later, where this open redirect vulnerability is fixed. Until upgrading, be aware that the non-GET timeout redirect path is unprotected and can be exploited. No other official or temporary fixes are documented. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 5.0.4.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.035Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a10b5b4e1370fbb4848af54
Added to database: 5/22/2026, 7:59:48 PM
Last enriched: 5/22/2026, 8:14:54 PM
Last updated: 5/22/2026, 9:09:45 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.