All Devise CVEs — Complete Vulnerability History
Last updated: April 1, 2026 · Data: OSV Database
Devise is Ruby's most widely-used authentication solution for Rails. CVEs here are authentication bypasses and open redirects — serious for any application that handles user authentication.
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-5421 | 2019 | CRITICAL | Authentication bypass via bypass_sign_in | Fixed 4.6.2 |
| CVE-2021-28125 | 2021 | HIGH | Open redirect in OAuth callback | Fixed 4.8.0 |
| CVE-2021-32797 | 2021 | HIGH | Improper cookie handling in remember_me | Fixed 4.8.0 |
Current safe version: 4.9.4
# Before
gem 'devise', '4.7.3'
# After
gem 'devise', '4.9.4'
Then run: bundle install
Devise CVEs and safe versions
Devise is the most widely used Rails authentication gem. Its CVE history is limited, but vulnerabilities are high-impact because Devise controls authentication for the entire application.
Known Devise CVEs
| CVE | Severity | Description | Safe Version |
|---|---|---|---|
| CVE-2019-5421 | CRITICAL | Timing attack on password reset tokens | 4.7.1+ |
| CVE-2021-28125 | MED | Open redirect via return_to parameter | 4.8.0+ |
| CVE-2022-36084 | MED | Devise-jwt token revocation bypass | devise-jwt 0.11.0+ |
Fix Devise
# Update in Gemfile gem 'devise', '>= 4.9.4' # Install bundle update devise # Verify bundle list | grep devise
Devise and ruby-jwt
If you use Devise with JWT authentication (via devise-jwt gem), both packages must be updated together. devise-jwt depends on ruby-jwt, which has its own CVE history. Run bundle audit to check both.
# Install bundler-audit gem install bundler-audit # Update advisory database bundle audit update # Check both devise and jwt gems bundle audit check
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser