Devise 5.0.4 Patches Critical Open Redirect Vulnerability via Unvalidated Referer Header

The Devise authentication framework for Ruby on Rails has released version 5.0.4, addressing a critical open redirect vulnerability in its FailureApp component. The flaw, tracked as CVE-2026-40295, stems from unvalidated processing of the Referer header during non-GET session timeout scenarios, potentially allowing attackers to redirect authenticated users to malicious external domains.

Devise is among the most widely deployed authentication libraries in the Rails ecosystem, handling user authentication, session management, and account recovery for thousands of production applications. The vulnerability specifically targets applications where sessions expire and users attempt to access protected resources. An attacker controlling the Referer header could manipulate the redirect destination, potentially tricking users into phishing pages or credential harvesting sites that mirror the legitimate application. The fix implements proper validation of the Referer header before using its value in redirect responses.

Security advisories recommend immediate audit of applications depending on Devise, with particular urgency for public-facing production deployments and any system handling sensitive user data. Organizations should verify their Gemfile or Gemfile.lock configurations reflect version 5.0.4 or later. Given the library's extensive adoption across the Rails ecosystem, this patch carries broad supply chain implications, and downstream projects relying on Devise-dependent gems may also require updates to inherit the security fix. The vulnerability's severity is amplified by its exploitation potential during routine authentication flows, where users expect to be redirected within the trusted application domain.