Cross-Site Scripting Vulnerability in Basecamp's Google Sign-In for Rails Applications
CVE-2025-57821

4.2MEDIUM

Key Information:

Vendor

Basecamp

Status
Google Sign In
Vendor
CVE Published:
27 August 2025

What is CVE-2025-57821?

Basecamp's Google Sign-In allows integration of Google login in Rails applications, but prior to version 1.3.0, it was susceptible to a cross-site scripting vulnerability. Attackers could exploit this by crafting a malformed URL that bypassed the same origin policy, redirecting users to malicious sites. This issue is particularly critical for Rails applications that store flash information in session cookies, especially if an attacker can inject arbitrary data into those cookies. Users are encouraged to upgrade to version 1.3.0 or implement mitigation strategies by setting SameSite attributes on session cookies, ensuring stricter handling of cross-origin requests.

Affected Version(s)

google_sign_in < 1.3.0

References

https://github.com/basecamp/google_sign_in/security/advis...
x_refsource_CONFIRM
https://github.com/basecamp/google_sign_in/pull/73
x_refsource_MISC
https://github.com/basecamp/google_sign_in/commit/8590365...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-57821 : Cross-Site Scripting Vulnerability in Basecamp's Google Sign-In for Rails Applications