Listen to this Post
How the CVE Works
This vulnerability resides in Probo’s `saferedirect` package, which is responsible for validating redirect URLs across critical authentication flows including OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. The package’s validation logic contains a critical flaw: it only inspects the second character of relative paths to determine if a URL is safe.
An attacker can craft a malicious URL such as /../\evil.com. Because the second character of this string is `.` (a dot), the validator incorrectly treats it as a legitimate relative path and allows it to pass validation. However, Go’s `http.Redirect` function normalizes this path to `/\evil.com` before setting the `Location` header. When a browser receives this redirect, it interprets the backslash (\) as a host separator, effectively treating `evil.com` as the target domain.
This normalization discrepancy between Probo’s validator and Go’s `http.Redirect` creates a dangerous open-redirect vulnerability. An attacker can embed this malicious URL in a `continue` parameter or within a session-transfer token. The victim, seeing a link that appears to originate from a trusted Probo domain, clicks it and is silently redirected to an attacker-controlled external site such as https://evil.com`. This bypasses the intended same-origin restriction and enables sophisticated phishing attacks that can lead to credential theft, token leakage, and full session compromise.%5c
The vulnerability is particularly dangerous because it affects multiple authentication flows where redirect validation is critical for security. The fix involves normalizing relative paths with `path.Clean` before validation, rejecting backslashes (including percent-encoded) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.Already Patched (v0.204.0)
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: ....... `go.probo.inc/probo`
Version: ........ `< 0.204.0`
Vulnerability :...... `Open Redirect (CWE-601)`
Severity: ....... `Critical`
date: .......... `2026-06-30`
<h2 style="color: blue;">Prediction: ......</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check current Probo version probod --version Verify if vulnerable (version < 0.204.0) if [[ $(probod --version | grep -E "^v0\.[0-9]+\.[0-9]+") ]]; then version=$(probod --version | cut -d'v' -f2) if [[ "$version" < "0.204.0" ]]; then echo "VULNERABLE: Upgrade to v0.204.0 or later" else echo "PATCHED: Version $version is secure" fi fi
<h2 style="color: blue;">Exploitation Proof-of-Concept (cURL):</h2>
Craft malicious redirect URL
MALICIOUS_URL="/../%5cevil.com"
Send request with malicious continue parameter
curl -i "https://target-probo.com/auth/oidc?continue=${MALICIOUS_URL}"
Expected response (vulnerable):
HTTP/1.1 302 Found
Location: /\evil.com
Browser interprets as: https://evil.com
<h2 style="color: blue;">Go Exploit Simulation:</h2>
package main
import (
"net/http"
"net/url"
)
func vulnerableRedirect(w http.ResponseWriter, r http.Request) {
// Vulnerable validation: only checks second character
redirectURL := r.URL.Query().Get("continue")
if len(redirectURL) > 1 && redirectURL[bash] == '.' {
// Passes validation for "/../\evil.com"
http.Redirect(w, r, redirectURL, http.StatusFound)
}
}
<h2 style="color: blue;">Protection:</h2>
1. Upgrade Immediately: Self-hosted deployments must upgrade to `probod v0.194.1` or later. The comprehensive fix is included ingo.probo.inc/probo v0.204.0.`) and their percent-encoded form (
2. SaaS Users: Deployments on `getprobo.com` are already patched and require no action.
3. Validation Hardening: Implement proper path normalization using `path.Clean` before any validation checks.
4. Backslash Rejection: Explicitly reject backslashes (%5c) anywhere in the redirect path.
5. Post-Normalization Check: Re-validate the normalized result for protocol-relative prefixes (//) and backslash prefixes.
6. No Practical Workaround: For self-hosted installations, there is no effective workaround other than upgrading to the patched release.
Impact:
- Phishing Attacks: Attackers can craft links that appear to come from a trusted Probo domain but redirect victims to malicious websites.
- Credential Theft: Victims may be tricked into entering credentials on attacker-controlled phishing pages that mimic legitimate Probo authentication interfaces.
- Session Token Leakage: When embedded in OAuth, OIDC, or SAML flows, a single misvalidated redirect can result in token leakage and full session compromise.
- Authentication Flow Bypass: Affects OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links.
- Widespread Exposure: All self-hosted Probo deployments running versions prior to `v0.204.0` are vulnerable.
- No Exploitation in Wild Yet: While no active exploitation has been confirmed, the potential impact necessitates immediate patching.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

