Listen to this Post
How the mentioned CVE works:
The vulnerability CVE-2025-45427 exists in the Alt Redirect addon for Statamic. When the “Query String Strip” feature is enabled, the addon intends to remove specific query parameters from URLs to prevent misuse. However, its sanitization logic is flawed. It fails to account for case variations of parameter names, URL-encoded keys, or duplicate parameters. An attacker can craft a URL with a malicious parameter using different cases (e.g., `redirect_to` vs REDIRECT_TO) or encoded characters that the filter does not recognize. Because the flawed stripping logic misses these variants, the malicious parameter remains in the URL. When this manipulated URL is processed, it can bypass intended access controls or sanitization routines, potentially leading to an authentication bypass, cache poisoning, or other security issues by spoofing the redirection target or polluting application parameters.
DailyCVE Form:
Platform: Statamic
Version: 1.6.3
Vulnerability : Authentication Bypass
Severity: Moderate
date: 2025-10-10
Prediction: 2025-10-27
What Undercode Say:
Analytics:
`curl -s “https://example.com/page?redirect_URL=https://malicious.com”`
`curl -s “https://example.com/page?redirect%5fto=https://malicious.com”`
`curl -s “https://example.com/page?redirect_to=a&redirect_to=b”`
How Exploit:
Craft a URL with a case-variant, URL-encoded, or duplicate query parameter that the stripping feature fails to remove, allowing the unauthorized parameter value to be processed.
Protection from this CVE:
Upgrade Alt Redirect.
Impact:
Cache Poisoning, Parameter Pollution, Denial of Service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
