|
| 1 | +--- |
| 2 | +gem: devise |
| 3 | +ghsa: 57hq-95w6-v4fc |
| 4 | +url: https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc |
| 5 | +title: Confirmable "change email" race condition permits |
| 6 | + user to confirm email they have no access to |
| 7 | +date: 2026-03-16 |
| 8 | +description: | |
| 9 | + ## Impact |
| 10 | +
|
| 11 | + A race condition in Devise's Confirmable module allows an attacker |
| 12 | + to confirm an email address they do not own. This affects any Devise |
| 13 | + application using the reconfirmable option (the default when using |
| 14 | + Confirmable with email changes). |
| 15 | +
|
| 16 | + By sending two concurrent email change requests, an attacker can |
| 17 | + desynchronize the confirmation_token and unconfirmed_email fields. |
| 18 | + The confirmation token is sent to an email the attacker controls, |
| 19 | + but the unconfirmed_email in the database points to a victim's |
| 20 | + email address. When the attacker uses the token, the victim's email |
| 21 | + is confirmed on the attacker's account. |
| 22 | +
|
| 23 | + ## Patch |
| 24 | +
|
| 25 | + This is patched in Devise v5.0.3. Users should upgrade as soon as possible. |
| 26 | +
|
| 27 | + ## Workaround |
| 28 | +
|
| 29 | + Applications can override this specific method from Devise models |
| 30 | + to force unconfirmed_email to be persisted when unchanged: |
| 31 | + (assuming your model is User) |
| 32 | +
|
| 33 | + ``` |
| 34 | + class User < ApplicationRecord |
| 35 | + protected |
| 36 | +
|
| 37 | + def postpone_email_change_until_confirmation_and_regenerate_confirmation_token |
| 38 | + unconfirmed_email_will_change! |
| 39 | + super |
| 40 | + end |
| 41 | + end |
| 42 | + ``` |
| 43 | +
|
| 44 | + Note: Mongoid does not seem to respect that will_change! should |
| 45 | + force the attribute to be persisted, even if it did not really |
| 46 | + change, so you might have to implement a workaround similar to |
| 47 | + Devise by setting changed_attributes["unconfirmed_email"] = nil as well. |
| 48 | +patched_versions: |
| 49 | + - ">= 5.0.3" |
| 50 | +related: |
| 51 | + url: |
| 52 | + - https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released |
| 53 | + - https://github.com/heartcombo/devise/pull/5784 |
| 54 | + - https://github.com/heartcombo/devise/issues/5783 |
| 55 | + - https://portswigger.net/research/smashing-the-state-machine |
| 56 | + - https://groups.google.com/g/heartcombo/c/ieiLJhG4EGE/m/PNlIQv54AAAJ |
| 57 | + - https://groups.google.com/g/heartcombo/c/o9mtkcfvt_g/m/SABX6rp8AgAJ |
| 58 | + - https://groups.google.com/g/heartcombo/c/XDII89RV6Ak/m/AJMOyayNAgAJ |
| 59 | + - https://groups.google.com/g/heartcombo/c/TWge7vKELhc/m/gRTrgKz4CQAJ |
| 60 | + - https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc |
0 commit comments