Sylius, Open Redirect, CVE-2026-31819 (MEDIUM)

Listen to this Post

The vulnerability resides in how Sylius handles HTTP redirects. Three specific components—CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle()—trust the HTTP Referer header without proper validation. When a victim clicks a seemingly legitimate link on an attacker-controlled page, the browser automatically includes the attacker’s site URL as the Referer header when navigating to the Sylius application. Sylius then reads this header and redirects the user back to that URL. Because the redirect originates from a trusted domain (the Sylius shop), it can be leveraged for sophisticated phishing attacks or credential theft, as victims see a trusted URL in their address bar before being taken to the malicious site. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat .

dailycve form:

Platform: Sylius
Version: <1.9.12,<1.10.16,<1.11.17,<1.12.23,<1.13.15,<1.14.18,<2.0.16,<2.1.12,<2.2.3
Vulnerability: Open Redirect
Severity: 6.9 MEDIUM
date: 03/10/2026

Prediction: Patched versions available

What Undercode Say:

Analytics

The vulnerability affects all Sylius versions prior to the patch releases. To check if your Sylius installation is vulnerable, you can inspect the controller code:

Check if CurrencySwitchController uses Referer header
grep -r "Referer" vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Controller/CurrencySwitchController.php
Expected vulnerable code pattern
$referer = $request->headers->get('referer');
return $this->redirect($referer);

Exploit

An attacker can craft a malicious page that triggers the redirect:

<!-- attacker.html -->
<a href="https://target-shop.com/en/currency/switch?code=USD">Click here for special offer!</a>

When the victim clicks this link, their browser sends a request to the Sylius shop with the Referer header set to the attacker’s domain. The vulnerable controller reads this header and redirects the user to `https://attacker.com/fake-login-page`.

A more direct exploit using curl:

Craft a request with a malicious Referer header
curl -I -H "Referer: https://evil.com/phishing-page" \
"https://target-shop.com/en/currency/switch?code=USD"

Protection

1. Immediate Update: Upgrade to patched versions:

composer require sylius/sylius:^2.2.3 --update-with-dependencies

2. Code-Level Fix: If immediate update isn’t possible, implement validation:

// In affected controllers, validate the referer
$referer = $request->headers->get('referer');
if ($referer && parse_url($referer, PHP_URL_HOST) === $request->getHost()) {
return $this->redirect($referer);
}
return $this->redirectToRoute('sylius_shop_homepage');

3. Nginx Mitigation (partial):

Block external referers for sensitive endpoints
location ~ /(currency|impersonate|locale)/switch {
if ($http_referer !~ "^https?://yourdomain.com") {
return 403;
}
}

Impact

  • Phishing Attacks: Attackers can create convincing phishing pages while showing a legitimate Sylius URL in the address bar before redirect
  • Credential Theft: Users may enter credentials on fake login pages after being redirected from the trusted domain
  • Admin Account Compromise: Admin users clicking links in emails or chats are equally vulnerable, potentially leading to backend access
  • Session Exposure: The redirect may leak session tokens or authentication data to malicious sites through Referer headers
  • Business Reputation Damage: Customers losing credentials through trusted shop URLs damages brand trust and may lead to financial fraud claims

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top