We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker to commit CSRF gaining access to private information. Users are advised to perform an immediate upgrade.
We have officially released the following new Spree versions: 2.2.10, 2.3.8, 2.4.5, and 3.0.0.rc4. These API versions are not backwards compatible, and contain breaking changes to address the security vulnerability. To see a complete list of changes please view the compare pages:
Details on the security patch
We strongly advise everyone to upgrade to the latest version of Spree available for their stores. For example, if you’re running v2.4.4, please upgrade to v2.4.5 immediately.
Alternatively, you can fork Spree to a local `vendor/gems/spree` directory within your application and apply the patch using one of these commands:
- 2-2-stable: git cherry-pick e2adc67680c43eac82a44047cca62ab4d306a54b
- 2-3-stable: git cherry-pick 5409de614da27431321e57f2cfcf940a1b15e3f0
- 2-4-stable: git cherry-pick 02c4e6f8cfb0c2c13e904739f2991454b141c9b4
- 3-0-stable: git cherry-pick 4688106985eeea4a211fb5d0d9c4cacb92e72145
For users of unsupported versions of Spree you should cherry-pick the 2-2-stable commit to back port changes to your own fork.
Thanks to Egor Homakov from Sakurity for following security procedures and reporting the issue privately for responsible disclosure via the firstname.lastname@example.org email. This allowed us to verify the problem and prepare the necessary security patches for public release.