This is a security patch release addressing two IDOR (Insecure Direct Object Reference) vulnerabilities. All users are strongly encouraged to upgrade immediately.
Security Fixes
High: Unauthenticated IDOR - Guest Address Exposure (GHSA-3ghg-3787-w2xr)
Moderate: Authenticated IDOR via Order Modification (GHSA-g268-72p7-9j6j)
Supported Versions
Security patches are available for all currently supported Spree versions:
| Version | Patched Release | EOL Date |
|---|---|---|
| 5.0 | 5.0.7 | March 2028 |
| 4.10 | 4.10.2 | September 2027 |
If you're running an unsupported version, please upgrade as soon as possible. Unsupported versions will not receive security patches. Need help upgrading? Contact the Spree team.
Upgrade
bundle updateAcknowledgements
We want to thank XBOW researchers who responsibly disclosed these vulnerabilities.