Devise Open Redirect Vulnerability in Timeoutable Session Handling

A vulnerability exists in Devise, an authentication solution for Rails, in versions 5.0.3 and prior. When the Timeoutable module is active, the FailureApp#redirect_url method improperly handles the HTTP Referer header for non-GET requests that time out, allowing for unvalidated redirects to external URLs. This issue arises because the non-GET timeout path lacks the same protections as the GET path, which uses a server-side value that cannot be manipulated by the client. As a result, an attacker can exploit this vulnerability to redirect users with expired sessions from a trusted domain to an external site, potentially leading to phishing or malware delivery.

Impact

Exploitation of this vulnerability allows for open redirection to attacker-controlled URLs, bypassing browser security warnings. This could be used to conduct phishing attacks or distribute malware.

Reproduction

To reproduce this vulnerability, enable the Timeoutable module in Devise and use a version prior to 5.0.4. Then, send a non-GET request from a page that you control, including an auto-submitting cross-origin form. Ensure that the request referrer header points to an external URL. This will trigger the timeout handling in Devise's FailureApp, which will redirect the user to the specified external URL without proper validation.

Remediation

Users are advised to upgrade to Devise version 5.0.4, where this vulnerability has been patched. If an immediate upgrade is not possible, the patch can be applied as a monkey-patch in a Rails initializer by modifying the Devise::FailureApp#redirect_url and Devise::Controllers::StoreLocation#extract_path_from_location methods. Remember to remove the monkey-patch after upgrading.