Devise Race Condition Vulnerability in Confirmable Module Allows Email Confirmation Forgery

A race condition vulnerability has been identified in the Confirmable module of Devise, an authentication solution for Rails. This issue affects Devise versions through 5.0.2 and arises when the 'reconfirmable' option is enabled, which is the default setting for email changes. The vulnerability allows an attacker to confirm an email address they do not own by sending two simultaneous email change requests. This desynchronizes the 'confirmation_token' and 'unconfirmed_email' fields, leading to unauthorized email confirmation on the attacker's account.

Impact

Exploitation of this vulnerability allows for unauthorized email confirmation, potentially leading to account hijacking.

Reproduction

To reproduce this vulnerability, an attacker must register an account and initiate an email change to an address they control, without confirming it. Then, by sending two concurrent requests—one to change the email to a victim's address and another to confirm the attacker's email—the attacker can desynchronize the email fields. When the confirmation link is used, the victim's email is falsely confirmed on the attacker's account.

Remediation

Users are advised to upgrade to Devise version 5.0.3 or later. For applications that cannot upgrade, a workaround is to override the 'postpone_email_change_until_confirmation_and_regenerate_confirmation_token' method in the Devise model to ensure the 'unconfirmed_email' is properly saved. Note that Mongoid users may need to implement an additional workaround.