ABP Framework, Open Redirect Vulnerability (Moderate)

Listen to this Post

This vulnerability exists in the Account module’s user registration endpoint. The `/Account/Register` page accepts a `returnUrl` parameter to redirect users after a successful registration. The application improperly validates this input, failing to check if the URL belongs to the same domain or a trusted allowlist. An attacker can craft a registration link with a `returnUrl` parameter pointing to an external, malicious domain (e.g., `https://victim-site.com/Account/Register?returnUrl=https://phishing-site.com`). When an unsuspecting user clicks this link and completes the registration process, the application will automatically redirect them to the attacker’s site. This can be used to facilitate phishing campaigns, where the user is tricked into believing the redirect is legitimate, potentially leading to further exploitation.
Platform: ABP Framework
Version: 5.1.0-10.0.0-rc.2
Vulnerability: Open Redirect
Severity: Moderate
Date: Dec 16, 2025

Prediction: Patched (Dec 16, 2025)

What Undercode Say:

curl -I "http://abp-app/Account/Register?returnUrl=https://evil.com"
// Vulnerable code path in AccountController
public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
{
// ... registration logic
return Redirect(returnUrl); // Unsafe redirect
}

How Exploit:

Crafted registration link.

Phishing email campaign.

User redirection post-registration.

Protection from this CVE

Update to 10.0.0-rc.2.

Validate returnUrl domain.

Use Url.IsLocalUrl().

Impact:

Phishing attacks.

User credential theft.

Reputation damage.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top