GHSA-f3g8-9xv5-77gv: Open Redirect in Saltcorn via Incomplete URL Validation
Vulnerability ID: GHSA-F3G8-9XV5-77GV
CVSS Score: 5.1
Published: 2026-04-16
The @saltcorn/server package contains an open redirect vulnerability (CWE-601) in the login route. An attacker can craft a malicious URL using backslashes to bypass the application's relative URL validation logic, resulting in the redirection of authenticated users to arbitrary external domains.
TL;DR
A flawed validation routine in Saltcorn allows attackers to bypass open redirect protections using backslash characters, enabling credential harvesting and phishing attacks against users during the authentication flow.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-601
- Attack Vector: Network
- CVSS v4.0: 5.1 (Medium)
- Exploit Status: Proof of Concept
- User Interaction: Required
- Privileges Required: None
Affected Systems
- Saltcorn (@saltcorn/server npm package)
-
@saltcorn/server: < 1.4.6 (Fixed in:
1.4.6) -
@saltcorn/server: >= 1.5.0-beta.0, < 1.5.6 (Fixed in:
1.5.6) -
@saltcorn/server: >= 1.6.0-alpha.0, < 1.6.0-beta.5 (Fixed in:
1.6.0-beta.5)
Mitigation Strategies
- Upgrade the @saltcorn/server package to a patched version
- Deploy WAF rules to inspect and drop malicious
destparameters containing backslashes - Implement log monitoring for suspicious authentication redirect patterns
Remediation Steps:
- Identify the currently installed version of
@saltcorn/serverusingnpm list @saltcorn/server - Update the package by running
npm install @saltcorn/server@^1.5.6(or appropriate version branch) - Restart the Saltcorn application service
- Verify the fix by attempting to pass
?dest=/%5Cexample.comto the login route and ensuring a redirect to the root path occurs instead
References
Read the full report for GHSA-F3G8-9XV5-77GV on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)