Update dependency devise to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
devise (changelog)	'~> 4.8' → '~> 5.0'

---

Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

CVE-2026-32700 / GHSA-57hq-95w6-v4fc

More information

Details

Impact

A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes).

By sending two concurrent email change requests, an attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is sent to an email the attacker controls, but the unconfirmed_email in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account.

Patches

This is patched in Devise v5.0.3. Users should upgrade as soon as possible.

Workarounds

Applications can override this specific method from Devise models to force unconfirmed_email to be persisted when unchanged: (assuming your model is User)

class User < ApplicationRecord
  protected

  def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
    unconfirmed_email_will_change!
    super
  end
end

Note: Mongoid does not seem to respect that will_change! should force the attribute to be persisted, even if it did not really change, so you might have to implement a workaround similar to Devise by setting changed_attributes["unconfirmed_email"] = nil as well.

Severity

• CVSS Score: 6.0 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc
• https://github.com/heartcombo/devise/issues/5783
• https://github.com/heartcombo/devise/pull/5784
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/GHSA-57hq-95w6-v4fc.yml
• https://nvd.nist.gov/vuln/detail/CVE-2026-32700
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2026-32700.yml
• https://github.com/advisories/GHSA-57hq-95w6-v4fc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Devise has an Open Redirect via Unvalidated request.referrer in Timeoutable Session Timeout Handler

CVE-2026-40295 / GHSA-jp94-3292-c3xv

More information

Details

Summary

When the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected.

Details

The vulnerable code is in lib/devise/failure_app.rb:

def redirect_url
  if warden_message == :timeout
    flash[:timedout] = true if is_flashing_format?

    path = if request.get?
      attempted_path          # safe: server-side value from warden options
    else
      request.referrer        # UNSAFE: HTTP Referer header, attacker-controlled
    end

    path || scope_url
  else
    scope_url
  end
end

This is passed directly to redirect_to:

def redirect
  store_location!
  # ...
  redirect_to redirect_url   # redirect_url may be an external attacker URL
end

The GET timeout path uses attempted_path, which is set server-side by Warden and cannot be influenced by the client. The store_location! method also only runs for GET requests, so no session-based protection is applied on POST timeouts.

By contrast, Devise's store_location_for method (used elsewhere) correctly sanitizes URLs via extract_path_from_location, which strips the scheme and host.

Impact

• Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL.
• The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings.
• An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.

Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it.

Patches

This is patched in Devise v5.0.4. Users should upgrade as soon as possible.

Workaround

None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (Devise::FailureApp#redirect_url and Devise::Controllers::StoreLocation#extract_path_from_location). Remove the monkey-patch after upgrading.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv
• https://github.com/advisories/GHSA-jp94-3292-c3xv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

heartcombo/devise (devise)

v5.0.4

Compare Source

• security fixes
  • Fix open redirect in FailureApp via unvalidated Referer header on non-GET session timeout. CVE-2026-40295 GHSA-jp94-3292-c3xv

v5.0.3

Compare Source

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #​5783 #​5784

v5.0.2

Compare Source

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #​5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #​5826

v5.0.1

Compare Source

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #​5822

v5.0.0

Compare Source

no changes

v4.9.4

Compare Source

https://github.com/heartcombo/devise/blob/v4.9.4/CHANGELOG.md#494---2024-04-10

v4.9.3

Compare Source

https://github.com/heartcombo/devise/blob/v4.9.3/CHANGELOG.md#493---2023-10-11

v4.9.2

Compare Source

https://github.com/heartcombo/devise/blob/v4.9.2/CHANGELOG.md#unreleased

v4.9.1

Compare Source

https://github.com/heartcombo/devise/blob/v4.9.1/CHANGELOG.md#491---2023-03-31

v4.9.0

Compare Source

https://github.com/heartcombo/devise/blob/v4.9.0/CHANGELOG.md#490---2023-02-17

v4.8.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

[14:39:18.709] INFO (1118): Installing tool ruby@3.0.3...
/usr/local/containerbase/tools/v2/ruby.sh: line 80: /etc/gemrc: Permission denied
[14:39:19.280] ERROR (1118): Command failed with exit code 1: bash /usr/local/containerbase/bin/v2-install-tool.sh install ruby 3.0.3
[14:39:19.281] FATAL (1118): Install tool ruby failed in 577ms.