---
gem: devise
osvdb: 114435
url: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
title: CSRF token fixation attacks in Devise
date: 2013-08-02

description: |
  Devise contains a flaw that allows a remote, user-assisted attacker to
  conduct a CSRF token fixation attack. This issue is triggered as previous
  CSRF tokens are not properly invalidated when a new token is created.
  If an attacker has knowledge of said token, a specially crafted request can
  be made to it, allowing the attacker to conduct CSRF attacks.

patched_versions:
  - ~> 2.2.5
  - ">= 3.0.1"