Open Redirect Affecting oarepo-vocabularies package, versions [,2.1.14)

Q: How to fix?

Upgrade oarepo-vocabularies to version 2.1.14 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-OAREPOVOCABULARIES-13808519
published2 Nov 2025
disclosed1 Nov 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Nov 2025

NewCWE-601 (opens in a new tab)

How to fix?

Upgrade oarepo-vocabularies to version 2.1.14 or higher.

Overview

oarepo-vocabularies is a Support for custom fields and hierarchy on Invenio vocabularies

Affected versions of this package are vulnerable to Open Redirect.

PoC

via the create_url_rules function in the ui/resources/vocabulary_type/resource.py file. An attacker can redirect a victim user to an arbitrary malicious website by injecting a scheme-relative or absolute URL into the request path.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None