CVE-2015-9284
Description
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OmniAuth Ruby gem <=1.9.1 request phase lacks CSRF protection, allowing attackers to connect arbitrary OAuth accounts to a victim's account without consent.
Vulnerability
Overview The OmniAuth Ruby gem [1] (versions 1.9.1 and earlier) contains a Cross-Site Request Forgery (CSRF) vulnerability in its request phase when used with Ruby on Rails [2]. The root cause is that the request phase does not validate any CSRF token, allowing an attacker to initiate an OAuth authentication flow on behalf of a victim without their knowledge or consent [4].
Exploitation
Details To exploit this, an attacker must trick a victim who is already authenticated to the target web application into visiting a crafted URL or page that triggers a request to the OmniAuth request phase (e.g., /auth/provider). If the victim has previously authorized the OAuth provider (e.g., Google) to access their account on the target application, the attacker can link their own OAuth account to the victim's account without any user interaction [4]. The attack is particularly effective when combined with a CSRF vulnerability on the OAuth provider side, but the OmniAuth CSRF alone is sufficient if the provider does not require re-authorization [4].
Impact
Successful exploitation allows the attacker to subsequently sign in to the web application using their own OAuth account, which is now linked to the victim's primary account [2]. This grants the attacker full access to the victim's account and any associated data or privileges.
Mitigation
The vulnerability is addressed in OmniAuth version 2.0.0, which defaults to only accepting POST requests for the request phase and introduces a configurable request_validation_phase for CSRF protection [3]. Users of earlier versions should upgrade to 2.0.0 or implement application-level CSRF protection as recommended in the OmniAuth documentation [3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
omniauthRubyGems | < 2.0.0 | 2.0.0 |
Affected products
2Patches
1aef9f623c0beAdd v2.0.0 as a patched version for CVE-2015-9284
1 file changed · +3 −0
gems/omniauth/CVE-2015-9284.yml+3 −0 modified@@ -20,6 +20,9 @@ description: | cvss_v2: 6.8 cvss_v3: 8.8 +patched_versions: + - ">= 2.0.0" + related: url: - https://github.com/omniauth/omniauth/pull/809
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-ww4x-rwq6-qpgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-9284ghsaADVISORY
- github.com/omniauth/omniauth-rails/pull/1ghsax_refsource_MISCWEB
- github.com/omniauth/omniauth/issues/1031ghsaWEB
- github.com/omniauth/omniauth/pull/809ghsax_refsource_MISCWEB
- github.com/omniauth/omniauth/releases/tag/v1.9.2ghsaWEB
- github.com/omniauth/omniauth/releases/tag/v2.0.0ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397ghsaWEB
- www.openwall.com/lists/oss-security/2015/05/26/11ghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.