CVE-2025-58067: 
Ruby vulnerability analysis and mitigation

CVE-2025-58067 affects Basecamp's Google Sign-In gem for Rails applications prior to version 1.3.1. The vulnerability was discovered and disclosed on August 29, 2025, and involves a potential open redirect vulnerability where users could be redirected to another origin if the 'proceedto' value in the session store is set to a protocol-relative URL ([GitHub Advisory](https://github.com/basecamp/googlesign_in/security/advisories/GHSA-5jch-xhw4-r43v)).

The vulnerability exists in the URL validation mechanism of the Google Sign-In gem. When the 'proceedto' URL is set to a protocol-relative URL, it incorrectly passes the 'same origin' check. The vulnerability has been assigned a CVSS v3.1 score of 4.2 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating network attack vector with high complexity, no privileges required, and user interaction required ([GitHub Advisory](https://github.com/basecamp/googlesign_in/security/advisories/GHSA-5jch-xhw4-r43v)).

If exploited, this vulnerability could allow attackers to redirect users to malicious sites after authentication, potentially exposing authentication information if chained with other attacks. The vulnerability primarily affects Rails applications using the googlesignin gem where attackers can modify OAuth2 request parameters (GitHub Advisory).

The vulnerability has been patched in version 1.3.1 of the googlesignin gem. There are no known workarounds, and users are advised to upgrade to the patched version (GitHub Release).

The vulnerability was responsibly reported by Hackerone user muntrive and was addressed promptly by the Basecamp team through a security patch (GitHub Advisory).