Listen to this Post
This vulnerability exists in the Account module’s user registration endpoint. The `/Account/Register` page accepts a `returnUrl` parameter to redirect users after a successful registration. The application improperly validates this input, failing to check if the URL belongs to the same domain or a trusted allowlist. An attacker can craft a registration link with a `returnUrl` parameter pointing to an external, malicious domain (e.g., `https://victim-site.com/Account/Register?returnUrl=https://phishing-site.com`). When an unsuspecting user clicks this link and completes the registration process, the application will automatically redirect them to the attacker’s site. This can be used to facilitate phishing campaigns, where the user is tricked into believing the redirect is legitimate, potentially leading to further exploitation.
Platform: ABP Framework
Version: 5.1.0-10.0.0-rc.2
Vulnerability: Open Redirect
Severity: Moderate
Date: Dec 16, 2025
Prediction: Patched (Dec 16, 2025)
What Undercode Say:
curl -I "http://abp-app/Account/Register?returnUrl=https://evil.com"
// Vulnerable code path in AccountController
public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
{
// ... registration logic
return Redirect(returnUrl); // Unsafe redirect
}
How Exploit:
Crafted registration link.
Phishing email campaign.
User redirection post-registration.
Protection from this CVE
Update to 10.0.0-rc.2.
Validate returnUrl domain.
Use Url.IsLocalUrl().
Impact:
Phishing attacks.
User credential theft.
Reputation damage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

