SCA: security update for google_sign_in (GHSA-5jch-xhw4-r43v)

medium Tenable Cloud Security Plugin ID 435160

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is
possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a
protocol-relative URL. Normally the value of this URL is only written and read by the library or the
calling application. However, it may be possible to set this session value from a malicious site with a
form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can
be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been
patched in version 1.3.1. There are no workarounds. (CVE-2025-58067)

See Also

https://github.com/advisories/GHSA-5jch-xhw4-r43v

Plugin Details

Severity: Medium

ID: 435160

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 8/30/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.46

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-58067

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Temporal Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/29/2025

Vulnerability Publication Date: 8/29/2025

Reference Information

CVE: CVE-2025-58067

cwe: CWE-601