Probo (goproboinc/probo) Open Redirect Bypass via Path Normalization, CVE-ID: GSA-kwCzR0hTQS14N3FxLW03NDgtOHAyY84ABZy5 (Critical) -DC-Jun2026-763

Listen to this Post

How the CVE Works

This vulnerability resides in Probo’s `saferedirect` package, which is responsible for validating redirect URLs across critical authentication flows including OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. The package’s validation logic contains a critical flaw: it only inspects the second character of relative paths to determine if a URL is safe.
An attacker can craft a malicious URL such as /../\evil.com. Because the second character of this string is `.` (a dot), the validator incorrectly treats it as a legitimate relative path and allows it to pass validation. However, Go’s `http.Redirect` function normalizes this path to `/\evil.com` before setting the `Location` header. When a browser receives this redirect, it interprets the backslash (\) as a host separator, effectively treating `evil.com` as the target domain.
This normalization discrepancy between Probo’s validator and Go’s `http.Redirect` creates a dangerous open-redirect vulnerability. An attacker can embed this malicious URL in a `continue` parameter or within a session-transfer token. The victim, seeing a link that appears to originate from a trusted Probo domain, clicks it and is silently redirected to an attacker-controlled external site such as https://evil.com`. This bypasses the intended same-origin restriction and enables sophisticated phishing attacks that can lead to credential theft, token leakage, and full session compromise.
The vulnerability is particularly dangerous because it affects multiple authentication flows where redirect validation is critical for security. The fix involves normalizing relative paths with `path.Clean` before validation, rejecting backslashes (including percent-encoded
%5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: ....... `go.probo.inc/probo`
Version: ........ `< 0.204.0` Vulnerability :...... `Open Redirect (CWE-601)` Severity: ....... `Critical` date: .......... `2026-06-30` <h2 style="color: blue;">Prediction: ......
Already Patched (v0.204.0)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>

Check current Probo version
probod --version
Verify if vulnerable (version < 0.204.0)
if [[ $(probod --version | grep -E "^v0\.[0-9]+\.[0-9]+") ]]; then
version=$(probod --version | cut -d'v' -f2)
if [[ "$version" < "0.204.0" ]]; then
echo "VULNERABLE: Upgrade to v0.204.0 or later"
else
echo "PATCHED: Version $version is secure"
fi
fi

<h2 style="color: blue;">Exploitation Proof-of-Concept (cURL):</h2>

Craft malicious redirect URL
MALICIOUS_URL="/../%5cevil.com"
Send request with malicious continue parameter
curl -i "https://target-probo.com/auth/oidc?continue=${MALICIOUS_URL}"
Expected response (vulnerable):
HTTP/1.1 302 Found
Location: /\evil.com
Browser interprets as: https://evil.com

<h2 style="color: blue;">Go Exploit Simulation:</h2>

package main
import (
"net/http"
"net/url"
)
func vulnerableRedirect(w http.ResponseWriter, r http.Request) {
// Vulnerable validation: only checks second character
redirectURL := r.URL.Query().Get("continue")
if len(redirectURL) > 1 && redirectURL[bash] == '.' {
// Passes validation for "/../\evil.com"
http.Redirect(w, r, redirectURL, http.StatusFound)
}
}

<h2 style="color: blue;">Protection:</h2>
1. Upgrade Immediately: Self-hosted deployments must upgrade to `probod v0.194.1` or later. The comprehensive fix is included in
go.probo.inc/probo v0.204.0.
2. SaaS Users: Deployments on `getprobo.com` are already patched and require no action.
3. Validation Hardening: Implement proper path normalization using `path.Clean` before any validation checks.
4. Backslash Rejection: Explicitly reject backslashes (
`) and their percent-encoded form (%5c) anywhere in the redirect path.
5. Post-Normalization Check: Re-validate the normalized result for protocol-relative prefixes (//) and backslash prefixes.
6. No Practical Workaround: For self-hosted installations, there is no effective workaround other than upgrading to the patched release.

Impact:

  • Phishing Attacks: Attackers can craft links that appear to come from a trusted Probo domain but redirect victims to malicious websites.
  • Credential Theft: Victims may be tricked into entering credentials on attacker-controlled phishing pages that mimic legitimate Probo authentication interfaces.
  • Session Token Leakage: When embedded in OAuth, OIDC, or SAML flows, a single misvalidated redirect can result in token leakage and full session compromise.
  • Authentication Flow Bypass: Affects OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links.
  • Widespread Exposure: All self-hosted Probo deployments running versions prior to `v0.204.0` are vulnerable.
  • No Exploitation in Wild Yet: While no active exploitation has been confirmed, the potential impact necessitates immediate patching.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top