Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-57821

Good to know:

icon
icon

Date: August 27, 2025

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie. This issue has been patched in version 1.3.0. If upgrading is not possible at this time, a way to mitigate the chained attack can be done by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie.

Severity Score

Related Resources (8)

https://github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3
https://github.com/basecamp/google_sign_in/releases/tag/v1.3.0
https://github.com/basecamp/google_sign_in
https://nvd.nist.gov/vuln/detail/CVE-2025-57821
https://github.com/basecamp/google_sign_in/commit/a0548a604fb17e4eb1a57029f0d87e34e8499623
https://github.com/basecamp/google_sign_in/pull/73
https://github.com/basecamp/google_sign_in/commit/85903651201257d4f14b97d4582e6d968ac32f15
https://www.mend.io/vulnerability-database/CVE-2025-57821

Severity Score

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Top Fix

icon

Upgrade Version

Upgrade to version google_sign_in - 1.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us