Time-Based One-Time Password (TOTP) Reuse Affecting devise-two-factor Open this link in a new tab package, versions <4.0.2

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    10 Apr 2022

  • disclosed

    23 Feb 2022

  • credit

    Benoit Côté-Jodoin

How to fix?

Upgrade devise-two-factor to version 4.0.2 or higher.


Affected versions of this package are vulnerable to Time-Based One-Time Password (TOTP) Reuse due to an improper fix of CVE-2015-7225, which makes it possible to reuse the OPT after 1 interval (30 seconds by default). If otp_allowed_drift is configured, the OTP will be valid for the entire duration of that drift period.