CVE-2025-64481 in datasette
Summary
by MITRE • 11/07/2025
Datasette is an open source multi-tool for exploring and publishing data. In versions 0.65.1 and below and 1.0a0 through 1.0a19, deployed instances of Datasette include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar. This problem has been patched in both Datasette 0.65.2 and 1.0a21. To workaround this issue, if Datasette is running behind a proxy, that proxy could be configured to replace // with / in incoming request URLs.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/27/2025
The vulnerability identified as CVE-2025-64481 affects Datasette, an open source multi-tool designed for exploring and publishing data. This tool serves as a web application that allows users to interact with databases through a web interface, making it a potential target for various cyber threats. The vulnerability manifests in specific versions of Datasette including those below 0.65.2 and between 1.0a0 and 1.0a19, creating a security risk that could be exploited by malicious actors to manipulate user navigation.
The technical flaw resides in how Datasette handles URL paths containing double slashes followed by a trailing slash. When a user accesses a URL pattern such as //example.com/foo/bar/, the application incorrectly processes this path and redirects users to https://example.com/foo/bar. This behavior represents an open redirect vulnerability that allows attackers to craft malicious URLs that appear legitimate while redirecting users to potentially harmful external sites. The vulnerability specifically requires the trailing slash pattern to function, making it somewhat targeted but still exploitable in various attack scenarios.
The operational impact of this vulnerability extends beyond simple redirection, as it creates opportunities for phishing attacks, credential theft, and other social engineering exploits. Attackers could leverage this open redirect to make malicious links appear to come from trusted sources, potentially tricking users into visiting compromised websites or entering sensitive information. The vulnerability affects any deployed instance of Datasette running within the affected version ranges, making it a significant concern for organizations relying on this tool for data publishing and exploration. This type of vulnerability aligns with CWE-601 Open Redirect, which specifically addresses the risk of redirecting users to untrusted websites through improper input validation.
The security fix implemented in Datasette versions 0.65.2 and 1.0a21 addresses the root cause by properly handling URL paths and preventing the unintended redirection behavior. Organizations should immediately upgrade to these patched versions to eliminate the vulnerability. For environments where immediate upgrades are not feasible, a workaround involving proxy configuration can provide temporary protection. This mitigation approach requires configuring the reverse proxy to normalize incoming URLs by replacing double slashes with single slashes, effectively preventing the vulnerable path pattern from being processed by Datasette. This solution demonstrates the importance of proper input sanitization at multiple layers of network infrastructure, aligning with defense-in-depth principles recommended in cybersecurity frameworks. The vulnerability highlights the critical need for proper URL handling and validation in web applications, particularly those that process user-supplied input, and underscores the importance of maintaining current software versions to protect against known security flaws.