CVE-2025-58067: 
Ruby vulnerability analysis and mitigation

Basecamp's Google Sign-In gem (google_sign_in) prior to version 1.3.1 contains a vulnerability (CVE-2025-58067) that was discovered and disclosed on August 29, 2025. The vulnerability affects Rails applications using the google_sign_in gem and allows potential redirection to untrusted sites if the 'proceed_to' value in the session store is set to a protocol-relative URL (GitHub Advisory).

The vulnerability occurs when the google_sign_in gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly passes the 'same origin' check, potentially allowing redirection to another origin after authentication. The issue has been assigned a CVSS v3.1 score of 4.2 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site (GitHub Advisory).

If successfully exploited, this vulnerability could lead to exposure of authentication information when chained with other attacks that can modify OAuth2 request parameters. The vulnerability primarily affects the confidentiality and integrity of the application, with potential for phishing attacks through malicious redirections (GitHub Advisory).

The vulnerability has been patched in version 1.3.1 of the google_sign_in gem. There are no known workarounds, and users are advised to upgrade to the latest version. The fix includes additional validation to prevent protocol-relative URIs from passing the same-origin check (GitHub Release).