Cross-Site Scripting Vulnerability in Basecamp's Google Sign-In for Rails Applications
CVE-2025-57821

4.2MEDIUM

Key Information:

Vendor

Basecamp

Status
Google Sign In
Vendor
CVE Published:
27 August 2025

What is CVE-2025-57821?

CVE-2025-57821 is a cross-site scripting (XSS) vulnerability identified in Basecamp's Google Sign-In integration for Rails applications. This product allows developers to implement Google sign-in functionality seamlessly into their web applications. The vulnerability arises from a flaw in the handling of malformed URLs that successfully bypass the "same origin" policy, which is essential for preventing unauthorized redirects. Effectively, this flaw enables malicious actors to redirect users to unauthorized origins, potentially compromising their security and privacy. If exploited in tandem with another attack that allows manipulation of session cookies—particularly those configured to store flash information—an attacker could inject arbitrary data into the session, leading to further malicious activities. This vulnerability was addressed in version 1.3.0 of the Google Sign-In integration.

Potential impact of CVE-2025-57821

  1. User Redirection: The vulnerability allows attackers to redirect users to malicious sites, which could lead to phishing attacks or credential theft, as users may inadvertently provide sensitive information to an unauthorized source.

  2. Session Cookie Manipulation: If attackers successfully exploit the vulnerability, they can manipulate session cookies, potentially allowing for unauthorized access to user accounts and sensitive data stored within those sessions.

  3. Security Breach and Reputation Damage: Organizations relying on affected versions of the Google Sign-In integration may face significant security breaches, risking exposed user data. This could lead to financial loss and damage to the organization's reputation if customer trust is compromised.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

google_sign_in < 1.3.0

References

https://github.com/basecamp/google_sign_in/security/advis...
x_refsource_CONFIRM
https://github.com/basecamp/google_sign_in/pull/73
x_refsource_MISC
https://github.com/basecamp/google_sign_in/commit/8590365...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.