GHSA-6QVV-PJ99-48QM
Vulnerability from github – Published: 2026-04-14 20:01 – Updated: 2026-04-15 21:09Impact
The response.redirect().back() method in @adonisjs/http-server is vulnerable to open redirects. The method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the Referer header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site.
This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back').
The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect').
Patches
This has been fixed in @adonisjs/http-server version 8.2.0. The back() method now validates the Referer header's host against the request's own Host header. Referrers from unrecognized hosts are rejected and the redirect falls back to / (or a developer-provided fallback URL).
Applications that operate across multiple domains can configure additional trusted hosts via the redirect.allowedHosts option in config/app.ts.
Users should upgrade to @adonisjs/http-server@^8.2.0 (or @adonisjs/core@^7.4.0 if using the core meta-package).
Workarounds
If upgrading is not immediately possible, avoid using response.redirect().back() in routes that are reachable by unauthenticated users or from pages that accept external traffic. Instead, redirect to a known safe path explicitly using response.redirect().toPath('/dashboard').
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@adonisjs/http-server"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-next.0"
},
{
"fixed": "8.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@adonisjs/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@adonisjs/http-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40255"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T20:01:28Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `response.redirect().back()` method in `@adonisjs/http-server` is vulnerable to open redirects. The method reads the `Referer` header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the `Referer` header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site.\n\nThis affects all AdonisJS applications that use `response.redirect().back()` or `response.redirect(\u0027back\u0027)`.\n\nThe vulnerability is classified as CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027).\n\n### Patches\n\nThis has been fixed in `@adonisjs/http-server` version **8.2.0**. The `back()` method now validates the `Referer` header\u0027s host against the request\u0027s own `Host` header. Referrers from unrecognized hosts are rejected and the redirect falls back to `/` (or a developer-provided fallback URL).\n\nApplications that operate across multiple domains can configure additional trusted hosts via the `redirect.allowedHosts` option in `config/app.ts`.\n\nUsers should upgrade to `@adonisjs/http-server@^8.2.0` (or `@adonisjs/core@^7.4.0` if using the core meta-package).\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid using `response.redirect().back()` in routes that are reachable by unauthenticated users or from pages that accept external traffic. Instead, redirect to a known safe path explicitly using `response.redirect().toPath(\u0027/dashboard\u0027)`.\n\n### References\n\n- [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html)\n- [OWASP: Unvalidated Redirects and Forwards](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)",
"id": "GHSA-6qvv-pj99-48qm",
"modified": "2026-04-15T21:09:15Z",
"published": "2026-04-14T20:01:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/http-server/commit/2008fb6cf4f6f1c0ca5797d57def4d93e1c3de08"
},
{
"type": "PACKAGE",
"url": "https://github.com/adonisjs/http-server"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/http-server/releases/tag/v7.8.1"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/http-server/releases/tag/v8.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "@adonisjs/http-server has an Open Redirect vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.