Open Redirect Affecting flask-security-too package, versions [,5.3.3)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-FLASKSECURITYTOO-6139926
- published 27 Dec 2023
- disclosed 26 Dec 2023
- credit Brandon T. Elliott
Introduced: 26 Dec 2023
CVE-2023-49438 Open this link in a new tabHow to fix?
Upgrade Flask-Security-Too to version 5.3.3 or higher.
Overview
Affected versions of this package are vulnerable to Open Redirect via the the /login and /register routes, using the ?next parameter.
Note:
With Werkzeug >=2.1.0 the autocorrect_location_header configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.
Workaround
Adding these configuration options to your app will mitigate all currently known examples:
app.config['SECURITY_REDIRECT_VALIDATE_MODE'] = "regex"
app.config['SECURITY_REDIRECT_VALIDATE_RE'] = r"^/{4,}|\\{3,}|[\s\000-\037][/\\]{2,}(?![/\\])|[/\\]([^/\\]|/[^/\\])*[/\\].*"
Note: The vulnerability present in this library and represented by CVE-2021-32618, was insufficiently assessed and a case was missed, leading to the current vulnerability. The fix commit from this advisory is strictly for this library.
PoC
https://example/login?next=/\github.com
https://example/login?next=\/github.com