AdonisJS, Open Redirect, CVE-None (Medium)

Listen to this Post

The vulnerability exists in `response.redirect().back()` and `response.redirect(‘back’)` methods of @adonisjs/http-server.
When called, the method reads the `Referer` header from the incoming HTTP request and redirects the user to that exact URL.
The method performs no validation of the hostname or domain inside the `Referer` header.
An attacker can craft a malicious webpage that forces a user’s browser to send a request to an AdonisJS application with a `Referer` header pointing to https://attacker.com`.
This is typically done by luring the user to click a link on the attacker’s site, then automatically submitting a form or navigating to a vulnerable route.
The application then calls `response.redirect().back()` and redirects the user to
https://attacker.com` without any check.
Because the redirect originates from the legitimate application domain, users are more likely to trust the destination.
The attacker can then host a phishing page that mimics the original site to steal credentials or tokens.

This is a classic CWE-601: Open Redirect flaw.

The root cause is trusting an untrusted input (the `Referer` header) as the target of a redirect.
No sanitization or host whitelisting is applied before version 8.2.0.
The attack works even if the `Referer` header is set to a completely unrelated external domain.
Applications that use `redirect().back()` after login, form submission, or any state-changing operation are at risk.
The vulnerability requires no special privileges – any unauthenticated endpoint using this method is exploitable.
Browsers allow `Referer` headers to be spoofed or set via `meta` tags, `iframe` navigation, or `fetch` requests with custom headers.
Thus, an attacker can reliably control the redirect target.

dailycve form:

Platform: AdonisJS
Version: <8.2.0
Vulnerability: Open Redirect
Severity: Medium
date: 2026-04-14

Prediction: Already patched (8.2.0)

What Undercode Say:

Simulate exploit: set malicious Referer and call vulnerable endpoint
curl -H "Referer: https://attacker.com/phish" http://victim-app.com/some/route/using/back
// Vulnerable code example (AdonisJS before 8.2.0)
route.post('/submit', async ({ response }) => {
// ... process form
return response.redirect().back(); // redirects to Referer header
});

Exploit:

  1. Attacker hosts a page at https://attacker.com/exploit.html` containing a hidden form that POSTs tohttps://victim.com/delete-account`.
  2. Victim visits attacker’s page; the form auto-submits, sending `Referer: https://attacker.com`.
  3. Victim’s browser sends request to victim.com with attacker-controlled Referer.
  4. Victim.com calls response.redirect().back(), redirecting victim to `https://attacker.com`.

5. Attacker’s page mimics victim.com login, stealing credentials.

Protection from this CVE

  • Upgrade to `@adonisjs/http-server@^8.2.0` or @adonisjs/core@^7.4.0.
  • If unable to upgrade, avoid using `redirect().back()` on any route accessible to external users.
  • Use explicit redirects: response.redirect().toPath('/dashboard').
  • For multi‑domain apps, set `redirect.allowedHosts` in config/app.ts.

Impact:

Open redirect allows attackers to redirect users from a trusted domain to a malicious site, enabling phishing, credential theft, session hijacking, and bypass of CSRF protections. Users may not notice the redirect because the initial request is to the legitimate application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top