CVE-2019-5421
Description
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the #increment_failed_attempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Devise's lockable module has a race condition that allows attackers to bypass brute-force account lockout via concurrent requests.
Vulnerability
A race condition exists in Devise::Models::Lockable#increment_failed_attempts in Devise versions 4.5.0 and earlier [1][2]. The method reads the failed_attempts value from the database and then increments it in two separate steps, rather than atomically. This allows concurrent requests to both read the same initial value and overwrite each other's increments, failing to correctly track failed login attempts. The vulnerability is classified as CWE-367 (Time-of-check Time-of-use race condition).
Exploitation
An attacker with network connectivity can perform a brute-force password attack by sending multiple authentication requests concurrently (e.g., using a multithreaded client) [2][3][4]. The race window is triggered when two or more requests reach the increment_failed_attempts method before any of them has written the updated count back to the database, causing the counter to increment by fewer than the total number of failed attempts. No authentication or special privileges are required to initiate the attack.
Impact
A successful exploitation allows the attacker to indefinitely bypass the account lockout mechanism designed to prevent brute-force password guessing [2][4]. The failed_attempts counter may never reach the configured limit, meaning the account remains unlocked even after many repeated failed login attempts. This enables an unauthenticated attacker to continue brute-forcing credentials without triggering a lockout, increasing the risk of account compromise.
Mitigation
The vulnerability is fixed in Devise version 4.6.0 [2][3]. The fix replaces the non-atomic read-then-increment pattern with ActiveRecord's #increment! method, which performs a single atomic database operation [3][4]. Users should upgrade to Devise 4.6.0 or later. For users unable to upgrade immediately, a workaround involving a raw SQL update (as shown in the issue report [4]) may be applied, but this is database-specific and not officially supported. No KEV listing is associated with this CVE.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
deviseRubyGems | < 4.6.0 | 4.6.0 |
Affected products
2- Plataformatec/Devise ruby gemv5Range: 4.5.0 and earlier using the lockable module
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-73rf-6mrf-759qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5421ghsaADVISORY
- github.com/plataformatec/devise/issues/4981ghsax_refsource_MISCWEB
- github.com/plataformatec/devise/pull/4996ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.