CSRF token fixation attacks in Devise


2017-04-01 19:10
2017-01-05 20:15


Devise contains a flaw that allows a remote, user-assisted attacker to
conduct a CSRF token fixation attack. This issue is triggered as previous
CSRF tokens are not properly invalidated when a new token is created.
If an attacker has knowledge of said token, a specially crafted request can
be made to it, allowing the attacker to conduct CSRF attacks.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
devise ~> 2.2.5,>= 3.0.1 None