All Devise CVEs — Complete Vulnerability History
Devise is Ruby's most widely-used authentication solution for Rails. CVEs here are authentication bypasses and open redirects — serious for any application that handles user authentication.
Ruby
2M+ weekly downloads
3 CVEs total
1 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-5421 | 2019 | CRITICAL | Authentication bypass via bypass_sign_in | Fixed 4.6.2 |
| CVE-2021-28125 | 2021 | HIGH | Open redirect in OAuth callback | Fixed 4.8.0 |
| CVE-2021-32797 | 2021 | HIGH | Improper cookie handling in remember_me | Fixed 4.8.0 |
Current safe version: 4.9.4
# Before
gem 'devise', '4.7.3'
# After
gem 'devise', '4.9.4'
Then run: bundle install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is the Devise authentication bypass CVE serious?
CVE-2019-5421 allowed bypass_sign_in to be called without verification in certain configurations. It affects applications using Devise's admin impersonation features. Update to 4.6.2+.
Does Devise handle 2FA?
Devise itself doesn't — use devise-two-factor or Authy for 2FA. Keep both gems updated.