CVE-2025-62379 in reflex
Summary
by MITRE • 10/15/2025
Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a GitHub Codespaces environment. This allows attackers to redirect users to arbitrary external URLs. The vulnerable route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. The same behavior can be activated in production if the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set. The vulnerability occurs because the code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains. The execution condition is based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place. This issue has been patched in version 0.8.15. As a workaround, users can ensure that GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in a production environment.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/15/2025
CVE-2025-62379 represents a critical server-side request forgery vulnerability in the Reflex web application framework affecting versions 0.5.4 through 0.8.14. This vulnerability exists within the /auth-codespace endpoint which automatically processes the redirect_to query parameter without any input validation or sanitization, creating a direct path for attackers to manipulate client-side navigation behavior. The flaw manifests when the framework detects a GitHub Codespaces environment through specific environment variables, particularly the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN variable that can be inadvertently set in production environments. The vulnerability operates at the intersection of CWE-601 and CWE-79, combining open redirect conditions with cross-site scripting risks through automatic client-side navigation. When the vulnerable endpoint is triggered, the application assigns the redirect_to parameter directly to a.href attributes without any verification of the target domain or scheme, immediately executing automatic clicks through document.click() methods upon page load. This behavior is particularly dangerous because the detection mechanism for Codespaces environments can be bypassed in production by setting the appropriate environment variable, making the vulnerability exploitable in live systems rather than just development contexts. The execution condition relies on sessionStorage flags, meaning the malicious redirection occurs automatically on first visits or in private browsing sessions where the flag has not been previously set, eliminating any user interaction requirements for exploitation. The vulnerability lacks any server-side origin validation, scheme enforcement, or internal path restriction mechanisms, creating a complete bypass of normal redirect security controls. This issue directly maps to ATT&CK technique T1566.001 which describes the use of malicious redirects in phishing attacks, and T1190 which covers exploitation of vulnerabilities in web applications. The automatic nature of the click execution means that users are immediately redirected without any warning or user confirmation, making this attack particularly effective for social engineering campaigns. The patch in version 0.8.15 addresses this by implementing proper input validation and sanitization of the redirect_to parameter, ensuring that only trusted domains or internal paths can be used for redirection. The recommended workaround of unsetting the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable in production environments provides a temporary mitigation while users upgrade to the patched version. This vulnerability demonstrates the critical importance of validating all user-provided input in web applications, particularly when that input controls navigation behavior, and highlights the risks associated with environment-based detection mechanisms that can be easily manipulated in production deployments. The impact extends beyond simple redirection as it can enable attackers to conduct phishing attacks, steal session cookies, or redirect users to malicious domains that appear legitimate due to the framework's automatic navigation behavior.