Listen to this Post
The vulnerability exists in the URL path normalization logic of Datasette’s built-in web server. When a request is made to a path beginning with a double slash //, followed by a domain and a trailing slash (e.g., //example.com/foo/bar/), the server incorrectly processes this as an external redirect. The server’s path routing mechanism fails to validate that the path segment after the initial slashes is a legitimate, relative path within the application. Instead, it interprets the entire subsequent string as an absolute URL target. This occurs because the trailing slash triggers a redirect to a canonical URL, but the logic for constructing the redirect target does not properly sanitize the input, allowing an attacker to specify an arbitrary external domain. The server then responds with a 302 Found or similar redirect status code, sending the user’s browser to the attacker-controlled domain specified in the malicious URL.
Platform: Datasette
Version: < 0.65.2, 1.0a0-1.0a20
Vulnerability: Open Redirect
Severity: Low
date: 2025-11-05
Prediction: Patch 2025-11-13
What Undercode Say:
curl -I "http://localhost:8001//phishing.com/login/"
Example vulnerable path handling logic (conceptual)
if path.startswith('//') and path.endswith('/'):
redirect_target = path[1:] Results in '/phishing.com/login/'
return Redirect(redirect_target)
How Exploit:
Attacker crafts malicious link: `http://datasette-instance.com//evil-site.com/`
User clicks, gets redirected to `https://evil-site.com`
Used for phishing campaigns.
Protection from this CVE
Upgrade to Datasette 0.65.2.
Upgrade to Datasette 1.0a21.
Configure proxy to normalize `//` to `/`.
Impact:
User redirected to malicious sites.
Potential phishing attacks.
Low integrity impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
