CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CVE-2025-61782 (GCVE-0-2025-61782)
Vulnerability from cvelistv5 – Published: 2026-01-07 17:28 – Updated: 2026-01-07 18:12
VLAI
Title
Open Redirect in OpenCTI's SAML Authentication Flow
Summary
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3.
Severity
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/OpenCTI-Platform/opencti/secur… | x_refsource_CONFIRM |
| https://github.com/OpenCTI-Platform/opencti/commi… | x_refsource_MISC |
| https://github.com/OpenCTI-Platform/opencti/relea… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenCTI-Platform | opencti |
Affected:
< 6.8.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T18:12:40.375776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T18:12:58.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opencti",
"vendor": "OpenCTI-Platform",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform\u0027s SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T17:28:53.599Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jc3f-c62g-v7qw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jc3f-c62g-v7qw"
},
{
"name": "https://github.com/OpenCTI-Platform/opencti/commit/f755165a26888925c4a58018f7238ff92a0bd378",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenCTI-Platform/opencti/commit/f755165a26888925c4a58018f7238ff92a0bd378"
},
{
"name": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.8.3"
}
],
"source": {
"advisory": "GHSA-jc3f-c62g-v7qw",
"discovery": "UNKNOWN"
},
"title": "Open Redirect in OpenCTI\u0027s SAML Authentication Flow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61782",
"datePublished": "2026-01-07T17:28:53.599Z",
"dateReserved": "2025-09-30T19:43:49.902Z",
"dateUpdated": "2026-01-07T18:12:58.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6197 (GCVE-0-2025-6197)
Vulnerability from cvelistv5 – Published: 2025-07-18 07:48 – Updated: 2025-07-18 13:46
VLAI
Summary
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.
Prerequisites for exploitation:
- Multiple organizations must exist in the Grafana instance
- Victim must be on a different organization than the one specified in the URL
Severity
4.2 (Medium)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://grafana.com/security/security-advisories/… | vendor-advisory |
| https://grafana.com/blog/2025/07/17/grafana-secur… | mitigationrelease-notes |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T13:45:54.505880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T13:46:01.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "12.0.2+security-01",
"status": "affected",
"version": "12.0.x",
"versionType": "semver"
},
{
"lessThan": "11.6.3+security-01",
"status": "affected",
"version": "11.6.x",
"versionType": "semver"
},
{
"lessThan": "11.5.6+security-01",
"status": "affected",
"version": "11.5.x",
"versionType": "semver"
},
{
"lessThan": "11.4.6+security-01",
"status": "affected",
"version": "11.4.x",
"versionType": "semver"
},
{
"lessThan": "11.3.8+security-01",
"status": "affected",
"version": "11.3.x",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dat Phung"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\u003cbr\u003e\u003c/p\u003e\u003cp\u003ePrerequisites for exploitation:\u003c/p\u003e\u003cp\u003e- Multiple organizations must exist in the Grafana instance\u003c/p\u003e\u003cp\u003e- Victim must be on a different organization than the one specified in the URL\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An open redirect vulnerability has been identified in Grafana OSS organization switching functionality.\n\n\nPrerequisites for exploitation:\n\n- Multiple organizations must exist in the Grafana instance\n\n- Victim must be on a different organization than the one specified in the URL"
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T07:49:16.382Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"name": "Vulnerable code location",
"tags": [
"vendor-advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2025-6197/"
},
{
"tags": [
"mitigation",
"release-notes"
],
"url": "https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-6197-and-cve-2025-6023/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2025-6197",
"datePublished": "2025-07-18T07:48:22.523Z",
"dateReserved": "2025-06-17T07:22:18.547Z",
"dateUpdated": "2025-07-18T13:46:01.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62253 (GCVE-0-2025-62253)
Vulnerability from cvelistv5 – Published: 2025-10-27 18:54 – Updated: 2025-10-27 19:38
VLAI
Summary
Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T19:38:08.810962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:38:22.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.97",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.3.10-u35",
"status": "affected",
"version": "7.3.10",
"versionType": "maven"
},
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.4",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.4.3.97",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.3.10-u35",
"versionStartIncluding": "7.3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.4.13-u92",
"versionStartIncluding": "7.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2023.q3.4",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Abderrahmane BOUNHIDJA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter."
}
],
"value": "Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:29:10.926Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62253"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2025-62253",
"datePublished": "2025-10-27T18:54:47.929Z",
"dateReserved": "2025-10-09T20:58:51.717Z",
"dateUpdated": "2025-10-27T19:38:22.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62266 (GCVE-0-2025-62266)
Vulnerability from cvelistv5 – Published: 2025-10-30 17:37 – Updated: 2025-10-30 19:06
VLAI
Summary
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T19:06:36.738279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:06:43.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Portal",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.3.119",
"status": "affected",
"version": "7.4.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "DXP",
"vendor": "Liferay",
"versions": [
{
"lessThanOrEqual": "7.4.13-u92",
"status": "affected",
"version": "7.4.13",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q3.10",
"status": "affected",
"version": "2023.Q3.1",
"versionType": "maven"
},
{
"lessThanOrEqual": "2023.Q4.10",
"status": "affected",
"version": "2023.Q4.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "2024.Q1.5",
"status": "affected",
"version": "2024.Q1.1",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain."
}
],
"value": "By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:35:11.229Z",
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay"
},
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62256"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"cveId": "CVE-2025-62266",
"datePublished": "2025-10-30T17:37:21.375Z",
"dateReserved": "2025-10-09T20:58:53.012Z",
"dateUpdated": "2025-10-30T19:06:43.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62361 (GCVE-0-2025-62361)
Vulnerability from cvelistv5 – Published: 2025-10-13 21:27 – Updated: 2025-10-14 15:15
VLAI
Title
WeGIA Open Redirect Vulnerability in `control.php` endpoint `nextPage` parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle)
Summary
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, an Open Redirect vulnerability was identified in the control.php endpoint of the WeGIA application, specifically in the nextPage parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This vulnerability is fixed in 3.5.0.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LabRedesCefetRJ/WeGIA/security… | x_refsource_CONFIRM |
| https://github.com/LabRedesCefetRJ/WeGIA/commit/2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LabRedesCefetRJ | WeGIA |
Affected:
< 3.5.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62361",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T15:15:05.679313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T15:15:13.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WeGIA",
"vendor": "LabRedesCefetRJ",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, an Open Redirect vulnerability was identified in the control.php endpoint of the WeGIA application, specifically in the nextPage parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This vulnerability is fixed in 3.5.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T21:27:38.572Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m99c-77f2-gpjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m99c-77f2-gpjx"
},
{
"name": "https://github.com/LabRedesCefetRJ/WeGIA/commit/2b53003b5956dbbf0ce554b680245f55ad869821",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/2b53003b5956dbbf0ce554b680245f55ad869821"
}
],
"source": {
"advisory": "GHSA-m99c-77f2-gpjx",
"discovery": "UNKNOWN"
},
"title": "WeGIA Open Redirect Vulnerability in `control.php` endpoint `nextPage` parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62361",
"datePublished": "2025-10-13T21:27:38.572Z",
"dateReserved": "2025-10-10T14:22:48.202Z",
"dateUpdated": "2025-10-14T15:15:13.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62379 (GCVE-0-2025-62379)
Vulnerability from cvelistv5 – Published: 2025-10-15 15:57 – Updated: 2025-10-15 17:18
VLAI
Title
Open Redirect in reflex-dev/reflex
Summary
Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a GitHub Codespaces environment. This allows attackers to redirect users to arbitrary external URLs. The vulnerable route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. The same behavior can be activated in production if the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set. The vulnerability occurs because the code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains. The execution condition is based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place. This issue has been patched in version 0.8.15. As a workaround, users can ensure that GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in a production environment.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/reflex-dev/reflex/security/adv… | x_refsource_CONFIRM |
| https://github.com/reflex-dev/reflex/commit/ade12… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| reflex-dev | reflex |
Affected:
>= 0.5.4, < 0.8.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62379",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T17:17:48.463909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T17:18:15.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "reflex",
"vendor": "reflex-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.4, \u003c 0.8.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a GitHub Codespaces environment. This allows attackers to redirect users to arbitrary external URLs. The vulnerable route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. The same behavior can be activated in production if the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set. The vulnerability occurs because the code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains. The execution condition is based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place. This issue has been patched in version 0.8.15. As a workaround, users can ensure that GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in a production environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T15:57:57.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/reflex-dev/reflex/security/advisories/GHSA-rfh5-c9h5-q8jm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/reflex-dev/reflex/security/advisories/GHSA-rfh5-c9h5-q8jm"
},
{
"name": "https://github.com/reflex-dev/reflex/commit/ade12549f3c0ddab3d7382c581bc04a3c1f989ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reflex-dev/reflex/commit/ade12549f3c0ddab3d7382c581bc04a3c1f989ec"
}
],
"source": {
"advisory": "GHSA-rfh5-c9h5-q8jm",
"discovery": "UNKNOWN"
},
"title": "Open Redirect in reflex-dev/reflex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62379",
"datePublished": "2025-10-15T15:57:57.208Z",
"dateReserved": "2025-10-10T14:22:48.205Z",
"dateUpdated": "2025-10-15T17:18:15.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6238 (GCVE-0-2025-6238)
Vulnerability from cvelistv5 – Published: 2025-07-04 01:44 – Updated: 2025-07-08 14:28
VLAI
Title
AI Engine 2.8.4 - Insecure OAuth Implementation
Summary
The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tigroumeow | AI Engine |
Affected:
2.8.4
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T14:27:57.811986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T14:28:09.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI Engine",
"vendor": "tigroumeow",
"versions": [
{
"status": "affected",
"version": "2.8.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the \u0027redirect_uri\u0027 parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the \u0027Meow_MWAI_Labs_OAuth\u0027 class is not loaded in the plugin in the patched version 2.8.5."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-04T01:44:02.327Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1edc84fd-8cb5-4899-9444-1b6ae3144917?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.8.4/labs/oauth.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3321384/ai-engine/trunk/labs/mcp.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3321384/ai-engine/trunk/labs/oauth.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-18T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-06-18T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-07-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "AI Engine 2.8.4 - Insecure OAuth Implementation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6238",
"datePublished": "2025-07-04T01:44:02.327Z",
"dateReserved": "2025-06-18T13:58:33.637Z",
"dateUpdated": "2025-07-08T14:28:09.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62407 (GCVE-0-2025-62407)
Vulnerability from cvelistv5 – Published: 2025-10-16 17:39 – Updated: 2025-10-16 19:22
VLAI
Title
Frappe has an Open Redirect on Login Page
Summary
Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirect argument on the login page, if a specific type of URL was passed in. This vulnerability is fixed in 14.98.0 and 15.83.0.
Severity
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/frappe/frappe/security/advisor… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:27:36.373332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:22:52.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frappe",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.83.0"
},
{
"status": "affected",
"version": "\u003c 14.98.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirect argument on the login page, if a specific type of URL was passed in. This vulnerability is fixed in 14.98.0 and 15.83.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:39:32.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/frappe/security/advisories/GHSA-j9jr-qrpj-g855",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/frappe/security/advisories/GHSA-j9jr-qrpj-g855"
}
],
"source": {
"advisory": "GHSA-j9jr-qrpj-g855",
"discovery": "UNKNOWN"
},
"title": "Frappe has an Open Redirect on Login Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62407",
"datePublished": "2025-10-16T17:39:32.903Z",
"dateReserved": "2025-10-13T16:26:12.178Z",
"dateUpdated": "2025-10-16T19:22:52.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62428 (GCVE-0-2025-62428)
Vulnerability from cvelistv5 – Published: 2025-10-16 18:57 – Updated: 2025-10-17 14:28
VLAI
Title
Drawing-Captcha APP Host Header Injection in `/register` and `/confirm-email` Endpoints
Summary
Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Drawing-Captcha/Drawing-Captch… | x_refsource_CONFIRM |
| https://github.com/Drawing-Captcha/Drawing-Captch… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drawing-Captcha | Drawing-Captcha-APP |
Affected:
< 1.2.5-alpha-patch
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62428",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-17T14:27:57.375152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T14:28:00.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Drawing-Captcha-APP",
"vendor": "Drawing-Captcha",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.5-alpha-patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:57:14.114Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Drawing-Captcha/Drawing-Captcha-APP/security/advisories/GHSA-5pj8-fc6g-vv7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Drawing-Captcha/Drawing-Captcha-APP/security/advisories/GHSA-5pj8-fc6g-vv7m"
},
{
"name": "https://github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30"
}
],
"source": {
"advisory": "GHSA-5pj8-fc6g-vv7m",
"discovery": "UNKNOWN"
},
"title": "Drawing-Captcha APP Host Header Injection in `/register` and `/confirm-email` Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62428",
"datePublished": "2025-10-16T18:57:14.114Z",
"dateReserved": "2025-10-13T16:26:12.180Z",
"dateUpdated": "2025-10-17T14:28:00.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62595 (GCVE-0-2025-62595)
Vulnerability from cvelistv5 – Published: 2025-10-21 16:20 – Updated: 2025-10-21 16:35
VLAI
Title
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
Summary
Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.
Severity
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/koajs/koa/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/koajs/koa/commit/769fd75cc6b30… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62595",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T16:35:45.437787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:35:48.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "koa",
"vendor": "koajs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.16.2, \u003c 2.16.3"
},
{
"status": "affected",
"version": "\u003e= 3.0.1, \u003c 3.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user\u2019s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:20:43.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc"
},
{
"name": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b"
}
],
"source": {
"advisory": "GHSA-g8mr-fgfg-5qpc",
"discovery": "UNKNOWN"
},
"title": "Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62595",
"datePublished": "2025-10-21T16:20:43.809Z",
"dateReserved": "2025-10-16T19:24:37.266Z",
"dateUpdated": "2025-10-21T16:35:48.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Phase: Architecture and Design
Description:
- Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation ID: MIT-21.2
Phase: Architecture and Design
Strategy: Enforcement by Conversion
Description:
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation ID: MIT-6
Phases: Architecture and Design, Implementation
Strategy: Attack Surface Reduction
Description:
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation ID: MIT-29
Phase: Operation
Strategy: Firewall
Description:
- Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.