CVE-2023-48220
MEDIUMDecidim's devise_invitable gem vulnerable to circumvention of invitation token expiry period
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
decidim💎decidim-admin💎decidim-system💎devise_invitable💎decidim💎decidim-admin💎decidim-systemReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects RubyGems packages — download data is not available via public APIs for these ecosystems.
Description
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the devise_invitable gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the decidim, decidim-admin, and decidim-system gems. When using the password reset functionality, the devise_invitable gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the invite_for expiry period. Decidim sets this configuration to 2.weeks so this configuration should be respected. The bug is in the devise_invitable gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. devise_invitable to version 2.0.9 and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the decidim, decidim-admin, and decidim-system gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 💎RubyGems | decidim | ≥ 0.0.1.alpha3&&< 0.26.9 | 0.26.9 |
| 💎RubyGems | decidim-admin | ≥ 0.0.1.alpha3&&< 0.26.9 | 0.26.9 |
| 💎RubyGems | decidim-system | ≥ 0.0.1.alpha3&&< 0.26.9 | 0.26.9 |
| 💎RubyGems | devise_invitable | ≥ 0.4.rc3&&< 2.0.9 | 2.0.9 |
| 💎RubyGems | decidim | ≥ 0.27.0&&< 0.27.5 | 0.27.5 |
| 💎RubyGems | decidim-admin | ≥ 0.27.0&&< 0.27.5 | 0.27.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for decidim. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update decidim to 0.26.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms CVE-2023-48220 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether CVE-2023-48220 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to CVE-2023-48220. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is CVE-2023-48220 in your dependencies?
O3 detects CVE-2023-48220 across RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.