GHSA-w3q8-m492-4pwp
MEDIUMPossibility to circumvent the invitation token expiry period
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
decidim💎decidim-admin💎decidim-system💎devise_invitable💎decidim💎decidim-admin💎decidim-systemReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects RubyGems packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.
When using the password reset functionality, the devise_invitable gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the devise_invitable gem:
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the invite_for expiry period as explained in the gem's documentation:
https://github.com/scambra/devise_invitable#model-configuration-
invite_for: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. Wheninvite_foris0(the default), the invitation won’t expire.
Decidim sets this configuration to 2.weeks so this configuration should be respected:
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
The bug is in the devise_invitable gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.
Patches
Update devise_invitable to version 2.0.9 or above by running the following command:
$ bundle update devise_invitable
Workarounds
The invitations can be cancelled directly from the database by running the following command from the Rails console:
> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)
References
OWASP ASVS V4.0.3-2.3.1
This bug has existed in the devise_invitable gem since this commit which was first included in the v0.4.rc3 release of this gem:
https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
All versions since then are affected.
This gem was first introduced at its version ~> 1.7.0 to the decidim-admin gem in this commit which was first included in the v0.0.1.alpha3 release of Decidim:
https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
It was first introduced at its version ~> 1.7.0 to the decidim-system gem in this commit which was also first included in the v0.0.1.alpha3 release of Decidim:
https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
Credits
This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by Deloitte Finland.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 💎RubyGems | decidim | ≥ 0.0.1.alpha3&&< 0.26.9 | 0.26.9 |
| 💎RubyGems | decidim-admin | ≥ 0.0.1.alpha3&&< 0.26.9 | 0.26.9 |
| 💎RubyGems | decidim-system | ≥ 0.0.1.alpha3&&< 0.26.9 | 0.26.9 |
| 💎RubyGems | devise_invitable | ≥ 0.4.rc3&&< 2.0.9 | 2.0.9 |
| 💎RubyGems | decidim | ≥ 0.27.0&&< 0.27.5 | 0.27.5 |
| 💎RubyGems | decidim-admin | ≥ 0.27.0&&< 0.27.5 | 0.27.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for decidim. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update decidim to 0.26.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w3q8-m492-4pwp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-w3q8-m492-4pwp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-w3q8-m492-4pwp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-w3q8-m492-4pwp in your dependencies?
O3 detects GHSA-w3q8-m492-4pwp across RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.