You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I have found an open redirect vulnerability when localePrefix is 'as-needed' . This vulnerability allows an attacker to redirect users to a malicious site by manipulating URL parameters.
The vulnerability occurs due to decodeURI doesn't escape decoded backslashs(%5C & %5c) and will decode them into '\' as an unsafe externalPathname. This unsafe externalPathname will be passed to new URL(normalizeTrailingSlash(url), request.url) to be the redirect destination. But URL will internally replace backslashs with slashes and take it as a new authority (host) part, the host will be parsed wrongly due to this bug(or feature?). Here's an example of what I'm talking about:
hblee12294
changed the title
Open redirect vulnerability exposed when localePrefix: 'as-needed'
Open redirect vulnerability exposed when localePrefix: 'as-needed'Jul 19, 2024
Description
Hi, I have found an open redirect vulnerability when localePrefix is 'as-needed' . This vulnerability allows an attacker to redirect users to a malicious site by manipulating URL parameters.
The vulnerability occurs due to
decodeURI
doesn't escape decoded backslashs(%5C
&%5c
) and will decode them into '\' as an unsafeexternalPathname
. This unsafeexternalPathname
will be passed tonew URL(normalizeTrailingSlash(url), request.url)
to be the redirect destination. ButURL
will internally replace backslashs with slashes and take it as a new authority (host) part, the host will be parsed wrongly due to this bug(or feature?). Here's an example of what I'm talking about:Example:
My project reproduces this issue, access it from this url
References
A similar vulnerability occurred in URI.js, which was fixed by replacing all '\' with ''.
Verifications
Mandatory reproduction URL
https://github.com/hblee12294/nextempura
Reproduction description
Steps to reproduce:
pnpm install
/npm install
/yarn install
pnpm dev
/pnpm run dev
/yarn dev
localhost:3000
in the browserhttp://localhost:3000/en/%5Cexample.org
Expected behaviour
The website will be redirected to
example.org
, but it should behttp://localhost:3000/%5Cexample.org
.The text was updated successfully, but these errors were encountered: