Open Redirect Affecting amp-html package, versions *


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-AMPHTML-598262
  • published1 Oct 2020
  • disclosed12 Aug 2020
  • creditJoelsz

Introduced: 12 Aug 2020

CVE NOT AVAILABLE CWE-601  (opens in a new tab)

How to fix?

There is no fixed version for amp-html.

Overview

amp-html is a Full site AMP Pages validator

Affected versions of this package are vulnerable to Open Redirect. The default value of the "return" parameter for the amp-access login endpoint is set to the cdn.ampproject.org "login done" page with a "url" parameter that contains the original url of the AMP page, where the canonical backend is supposed to redirect after login or logout. Once redirected, the "login done" page is immediately redirecting back to the URL from the "url" parameter which is the original AMP page from where the authentication request originated from.

The issue is that the "url" parameter is not being validated by the domain, so when the "url" parameter is manually changed to another domain, it's still being redirected to that url and not being validated.

References

CVSS Scores

version 3.1