CVE-2021-43177
Description
In devise-two-factor prior to 4.0.2, an incomplete fix allows reuse of a TOTP for one trailing time interval, enabling OTP replay.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In devise-two-factor prior to 4.0.2, an incomplete fix allows reuse of a TOTP for one trailing time interval, enabling OTP replay.
Vulnerability
In devise-two-factor versions prior to 4.0.2, an incomplete fix for CVE-2015-7225 allows a One-Time Password (OTP) generated by the TOTP scheme to be reused for one immediately trailing time interval. The flaw occurs in the OTP validation logic, where the window of accepted codes is not properly restricted, permitting reuse of a previously valid OTP within the next TOTP interval. This affects all deployments using devise-two-factor with TOTP-based two-factor authentication [1][2][4].
Exploitation
To exploit this vulnerability, an attacker must possess a valid OTP that was generated by the target user's authenticator for a given time interval. The attacker must then use that same OTP during the immediately following time interval. The attacker does not need any special network position beyond being able to submit the OTP to the authentication endpoint (e.g., via a login form). No user interaction beyond the legitimate OTP generation is required, and the attack race window is bounded to a single TOTP interval (typically 30 seconds). Authentication as a low-privileged user is required to attempt login [2][4].
Impact
Successful exploitation allows an authenticated attacker to reuse a one-time password, effectively bypassing the intended single-use property of TOTP. This could enable an attacker who has obtained a valid OTP (e.g., through phishing or interception) to authenticate as the victim user during the subsequent time interval. The CVSS vector indicates a high impact on confidentiality (C:H), as the attacker could gain unauthorized access to the victim's account, but no impact on integrity (I:N) or availability (A:N) [2][4].
Mitigation
The vulnerability is fixed in devise-two-factor version 4.0.2, released on March 24, 2022. Users are strongly advised to upgrade to version 4.0.2 or later immediately. No workarounds have been provided. The package is actively maintained, and the fix is available from RubyGems and the GitHub repository [1][4]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devise-two-factorRubyGems | < 4.0.2 | 4.0.2 |
Affected products
2- Range: < 4.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jm35-h8q2-73mpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43177ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/devise-two-factor/CVE-2021-43177.ymlghsaWEB
- github.com/tinfoil/devise-two-factor/issues/106ghsaWEB
- github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.