---
gem: devise
cve: 2019-5421
url: https://github.com/plataformatec/devise/issues/4981
title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
date: 2019-02-07
description: |
  Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a
  time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts`
  within the `Devise::Models::Lockable` class not being concurrency safe.

patched_versions:
  - ">= 4.6.0"

cvss_v2: 7.5
cvss_v3: 9.8