Listen to this Post
The vulnerability exists in `response.redirect().back()` and `response.redirect(‘back’)` methods of @adonisjs/http-server.
When called, the method reads the `Referer` header from the incoming HTTP request and redirects the user to that exact URL.
The method performs no validation of the hostname or domain inside the `Referer` header.
An attacker can craft a malicious webpage that forces a user’s browser to send a request to an AdonisJS application with a `Referer` header pointing to https://attacker.com`.https://attacker.com` without any check.
This is typically done by luring the user to click a link on the attacker’s site, then automatically submitting a form or navigating to a vulnerable route.
The application then calls `response.redirect().back()` and redirects the user to
Because the redirect originates from the legitimate application domain, users are more likely to trust the destination.
The attacker can then host a phishing page that mimics the original site to steal credentials or tokens.
This is a classic CWE-601: Open Redirect flaw.
The root cause is trusting an untrusted input (the `Referer` header) as the target of a redirect.
No sanitization or host whitelisting is applied before version 8.2.0.
The attack works even if the `Referer` header is set to a completely unrelated external domain.
Applications that use `redirect().back()` after login, form submission, or any state-changing operation are at risk.
The vulnerability requires no special privileges – any unauthenticated endpoint using this method is exploitable.
Browsers allow `Referer` headers to be spoofed or set via `meta` tags, `iframe` navigation, or `fetch` requests with custom headers.
Thus, an attacker can reliably control the redirect target.
dailycve form:
Platform: AdonisJS
Version: <8.2.0
Vulnerability: Open Redirect
Severity: Medium
date: 2026-04-14
Prediction: Already patched (8.2.0)
What Undercode Say:
Simulate exploit: set malicious Referer and call vulnerable endpoint curl -H "Referer: https://attacker.com/phish" http://victim-app.com/some/route/using/back
// Vulnerable code example (AdonisJS before 8.2.0)
route.post('/submit', async ({ response }) => {
// ... process form
return response.redirect().back(); // redirects to Referer header
});
Exploit:
- Attacker hosts a page at
https://attacker.com/exploit.html` containing a hidden form that POSTs tohttps://victim.com/delete-account`. - Victim visits attacker’s page; the form auto-submits, sending `Referer: https://attacker.com`.
- Victim’s browser sends request to victim.com with attacker-controlled Referer.
- Victim.com calls
response.redirect().back(), redirecting victim to `https://attacker.com`.
5. Attacker’s page mimics victim.com login, stealing credentials.
Protection from this CVE
- Upgrade to `@adonisjs/http-server@^8.2.0` or
@adonisjs/core@^7.4.0. - If unable to upgrade, avoid using `redirect().back()` on any route accessible to external users.
- Use explicit redirects:
response.redirect().toPath('/dashboard'). - For multi‑domain apps, set `redirect.allowedHosts` in
config/app.ts.
Impact:
Open redirect allows attackers to redirect users from a trusted domain to a malicious site, enabling phishing, credential theft, session hijacking, and bypass of CSRF protections. Users may not notice the redirect because the initial request is to the legitimate application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

