| Title | GitHub hsweb-framework 5.0.0 Open Redirect |
|---|
| Description | ### Overview
The OAuth2 authorization endpoint validates redirect_uri using a string prefix check:
redirectUri.startsWith(this.redirectUrl)
String redirectUri = param.getOrDefault("redirect_uri", client.getRedirectUrl());
client.validateRedirectUri(redirectUri);
public void validateRedirectUri(String redirectUri) {
if (ObjectUtils.isEmpty(redirectUri) || (!redirectUri.startsWith(this.redirectUrl))) {
throw new OAuth2Exception(ErrorType.ILLEGAL_REDIRECT_URI);
}
}
### Impact
Assume an OAuth2 client has registered the following callback URL:
https://trusted.example.com
An attacker can submit the following redirect_uri:
https://trusted.example.com:[email protected]
This value passes the startsWith("https://trusted.example.com") validation. However, according to URL parsing semantics, the actual destination host is evil.com, while trusted.example.com:password is treated as the URL userinfo component.
An attacker could exploit this behavior to redirect the authorization code to evil.com, creating an authorization code leakage risk.
### Simple Verification
GET /oauth2/authorize?response_type=code&client_id=<clientId>&redirect_uri=https://trusted.example.com:[email protected]/callback&state=audit
The validation passes and returns a URL similar to:
https://trusted.example.com:[email protected]/callback?code=<authorization_code>&state=audit
If the caller proceeds to redirect to this URL, the authorization code will be sent to the attacker-controlled domain evil.com. |
|---|
| Source | ⚠️ https://github.com/hs-web/hsweb-framework/issues/354 |
|---|
| User | 0Xrry (UID 86188) |
|---|
| Submission | 05/20/2026 09:37 (20 days ago) |
|---|
| Moderation | 06/07/2026 11:40 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369097 [hs-web hsweb-framework up to 5.0.1 OAuth2 Client OAuth2Client.java OAuth2Client redirect] |
|---|
| Points | 20 |
|---|