PackageFix / CISA KEV / CVE-2015-9284

CVE-2015-9284 — OmniAuth CSRF HIGH

🔴 CISA KEV CVSS 7.4

CSRF in OAuth callback allows attackers to forge authentication requests. Any application using OmniAuth 1.x for OAuth is vulnerable — the callback accepts GET requests which can be triggered cross-site.

🔴 Actively Exploited

CVE-2015-9284 is on the CISA Known Exploited Vulnerabilities catalog. Being used in real attacks right now. Fix immediately.

Affected package

PackageVulnerableSafe versionFix guide
omniauth< 2.0.02.1.2Fix guide →

Timeline

Dec 2015CVE filed for CSRF in OmniAuth 1.x OAuth callback
Feb 2021OmniAuth 2.0 released as the proper fix — POST-only callbacks
2021+CISA adds to KEV — exploitation confirmed against Rails apps
OngoingMany apps still on OmniAuth 1.x — still actively targeted

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How long has CVE-2015-9284 been exploited?
Despite being filed in 2015, it remained in widespread use through OmniAuth 1.x which was the default for years. CISA added it to KEV when exploitation against Rails applications was confirmed in 2021+. Many applications are still on OmniAuth 1.x.
What does the fix require?
OmniAuth 2.0+ requires POST-only OAuth callbacks. Add omniauth-rails_csrf_protection gem or configure your OAuth provider for POST callbacks. This is a breaking change but necessary.

Related

All CISA KEV Packages

Full actively exploited list

Fix omniauth

Full fix guide with CVE history

Supply Chain Attack Guide

5 attacks npm audit misses

What is CISA KEV?

Plain-English explanation