GHSA SYNC: 2 brand new spree advisories (#987)

jasnow · web-flow · commit f118d913d62d · 2026-02-07T16:36:37.000-08:00
diff --git a/gems/spree_api/GHSA-87fh-rc96-6fr6.yml b/gems/spree_api/GHSA-87fh-rc96-6fr6.yml
@@ -0,0 +1,97 @@
+---
+gem: spree_api
+ghsa: 87fh-rc96-6fr6
+url: https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
+title: Unauthenticated Spree Commerce users can access all guest addresses
+date: 2026-02-05
+description: |
+  ### Summary
+
+  A critical IDOR vulnerability exists in Spree Commerce's guest
+  checkout flow that allows any guest user to bind arbitrary guest
+  addresses to their order by manipulating address ID parameters.
+  This enables unauthorized access to other guests' personally
+  identifiable information (PII) including names, addresses and
+  phone numbers. The vulnerability bypasses existing ownership
+  validation checks and affects all guest checkout transactions.
+
+  ### Impact
+
+  This issue may lead to disclosure of PII of guest users (including
+  names, addresses and phone numbers).
+
+  ### Unauthenticated users can access all guest addresses (`GHSL-2026-027`)
+
+  The vulnerability stems from incomplete authorization validation
+  in Spree's checkout address assignment logic. While nested address
+  attributes (`bill_address_attributes[id]` and
+  `ship_address_attributes[id]`) are properly validated through
+  `validate_address_ownership`, plain ID parameters (`bill_address_id`
+  and `ship_address_id`) bypass this check entirely. Since Spree's
+  address IDs are sequential numbers, an attacker might get all
+  guest addresses by simply enumerating over them.
+
+  ### Affected Code Components
+
+  1. **Permitted Attributes** ([`core/lib/spree/permitted_attributes.rb:92–96`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96))
+     - Allows `bill_address_id` and `ship_address_id` as permitted
+       parameters without validation
+
+  2. **Checkout Update** ([`core/app/models/spree/order/checkout.rb:241–254`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254))
+     - Applies permitted parameters directly to the Order model
+       via `update_from_params`
+
+  3. **Incomplete Ownership Validation** ([`core/app/services/spree/checkout/update.rb:33–48`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48))
+     - `validate_address_ownership` only validates nested attributes structure
+     - Does NOT validate plain `bill_address_id`/`ship_address_id` fields
+
+  4. **Vulnerable Assignment Logic** ([`core/app/models/spree/order/address_book.rb:16–23, 31–38`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38))
+     * [`bill_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L24)
+     * [`ship_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L31-L39)
+
+  Both setters check that: `address.user_id == order.user_id`. For
+  guest orders: nil == nil → TRUE ✓ (bypass!)
+
+  #### Impact
+
+  This issue may lead to disclosure of PII of guest users (including
+  names, addresses and phone numbers).
+
+  #### CWEs
+
+  - CWE-639: Authorization Bypass Through User-Controlled Key
+  - CWE-284: Improper Access Control
+
+  ### Credit
+
+  This issue was discovered with the [GitHub Security Lab Taskflow
+  Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+  and manually verified by GHSL team members
+  [@p- (Peter Stöckli)](https://github.com/p-) and
+  [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
+
+  ### Disclosure Policy
+
+  This report is subject to a 90-day disclosure deadline, as
+  described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+patched_versions:
+  - "~> 4.10.3"
+  - "~> 5.0.8"
+  - "~> 5.1.10"
+  - "~> 5.2.7"
+  - ">= 5.3.2"
+related:
+  url:
+    - https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
+    - https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
+    - https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
+    - https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
+    - https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
+    - https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
+    - https://github.com/advisories/GHSA-87fh-rc96-6fr6
+notes: |
+  - CVE-2026-25758 in GHSA Advisory.
diff --git a/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml b/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml
@@ -0,0 +1,78 @@
+---
+gem: spree_storefront
+ghsa: p6pv-q7rc-g4h9
+url: https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
+title: Unauthenticated Spree Commerce users can view completed
+  guest orders by Order ID
+date: 2026-02-05
+description: |
+  ### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)
+
+  The `OrdersController#show` action permits viewing completed
+  guest orders by order number alone, without requiring the
+  associated order token.
+
+  Order lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):
+
+  ```ruby
+  @order = complete_order_finder.new(number: params[:id],
+    token: params[:token], store: current_store).execute.first
+  ```
+
+  Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):
+  ```ruby
+  def authorize_access
+    return true if @order.user_id.nil?
+
+    @order.user == try_spree_current_user
+  end
+  ```
+
+  If the attacker is in possession of a leaked Order ID, they might
+  look it up directly via this API.
+  Alternatively, brute forcing all or parts of the possible
+  Order IDs might be feasible for an attacker. (The Order IDs
+  themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45),
+  but with relatively low entropy: by default an order ID has a
+  length of 9 and a base of 10, that would require an attacker to
+  perform 1 billion requests to gather all guest orders. (At an
+  assumed constant rate of 100 requests per second it would take 115 days.)
+
+  #### Impact
+
+  This issue may lead to disclosure of PII of guest users
+  (including names, addresses and phone numbers).
+
+  #### CWEs
+
+  - CWE-639: Authorization Bypass Through User-Controlled Key
+
+  ### Credit
+
+  This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+  and manually verified by GHSL team members
+  [@p- (Peter Stöckli)](https://github.com/p-) and
+  [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
+
+  ### Disclosure Policy
+
+  This report is subject to a 90-day disclosure deadline, as
+  described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+patched_versions:
+  - "~> 5.0.8"
+  - "~> 5.1.10"
+  - "~> 5.2.7"
+  - ">= 5.3.2"
+related:
+  url:
+    - https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
+    - https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
+    - https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
+    - https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
+    - https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
+    - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
+    - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9
+notes: |
+  - CVE-2026-25757 in GHSA advisory.
