Please upgrade your Spree stores now to their latest gem versions 1.3.2, 1.2.4, 1.1.5 or 1.0.7.
Thanks to the work of Egor Homakov, we have located and patched two serious exploits within Spree.
The first allows a user to authenticate as a random user to the API, which could
potentially lead them to authenticating as an admin user for the store. The
second allows them to issue a Denial of Service attack against the store using
an especially crafted URL.
We have patched the 1-0-stable, 1-1-stable, 1-2-stable, 1-3-stable and master
branches for Spree, as well as released new gem versions for the stable
We strongly advise all Spree stores to upgrade to their latest gem versions so
that they are not affected by these exploits.