All OmniAuth CVEs — Complete Vulnerability History
OmniAuth handles OAuth authentication for Rails apps. CVE-2015-9284 is a critical CSRF vulnerability that is still being exploited — it's on the CISA KEV list despite being a 2015 CVE.
Ruby
2M+ weekly downloads
2 CVEs total
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2015-9284 | 2015 | 🔴HIGH | CSRF in OAuth callback via GET request — CISA KEV | Fixed 2.0.0 |
| CVE-2019-3891 | 2019 | HIGH | Authentication bypass via manipulated OAuth state | Fixed 1.9.2 |
Current safe version: 2.1.2
# Before
gem 'omniauth', '1.9.1'
# After
gem 'omniauth', '2.1.2'
Then run: bundle install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why is a 2015 CVE still on CISA KEV?
CVE-2015-9284 wasn't fully addressed in the original fix. OmniAuth 2.0 (released 2021) was the proper fix — requiring POST-only OAuth callbacks. Many applications are still on OmniAuth 1.x making this an active attack surface.
What changed in OmniAuth 2.0?
OmniAuth 2.0 requires POST requests for OAuth callbacks by default, eliminating the CSRF vector. It's a breaking change — you need to add the omniauth-rails_csrf_protection gem or configure your OAuth provider for POST callbacks.