Summary
There is an open redirect in the @keystone-6/auth package, where the redirect leading / filter can be bypassed.
Impact
Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.
Mitigations
- Don't use the
@keystone-6/auth package
References
Similar Vulnerability Reports
Credits
Thanks to morioka12 for reporting this problem.
If you have any questions around this security advisory, please don't hesitate to contact us at [email protected], or open an issue on GitHub.
If you have a security flaw to report for any software in this repository, please see our SECURITY policy.
Summary
There is an open redirect in the
@keystone-6/authpackage, where the redirect leading/filter can be bypassed.Impact
Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.
Mitigations
@keystone-6/authpackageReferences
Similar Vulnerability Reports
Credits
Thanks to morioka12 for reporting this problem.
If you have any questions around this security advisory, please don't hesitate to contact us at [email protected], or open an issue on GitHub.
If you have a security flaw to report for any software in this repository, please see our SECURITY policy.