Open Redirect in Basecamp's Google Sign-In for Rails Applications
CVE-2025-58067

4.2MEDIUM

Key Information:

Vendor

Basecamp

Status
Google Sign In
Vendor
CVE Published:
29 August 2025

What is CVE-2025-58067?

A vulnerability exists in Basecamp's Google Sign-In gem for Rails applications, allowing potential redirection to a malicious site. This issue arises when a session store's 'proceed_to' value is improperly set to a protocol-relative URL. Malicious actors could exploit this by manipulating session values through a deceptive form submission, which may lead to unauthorized redirection if combined with other attacks targeting OAuth2 request parameters. The vulnerability has been addressed in version 1.3.1, and there are currently no workarounds.

Affected Version(s)

google_sign_in < 1.3.1

References

https://github.com/basecamp/google_sign_in/security/advis...
x_refsource_CONFIRM
https://github.com/basecamp/google_sign_in/pull/75
x_refsource_MISC
https://github.com/basecamp/google_sign_in/commit/e97aef4...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-58067 : Open Redirect in Basecamp's Google Sign-In for Rails Applications