Listen to this Post
The vulnerability resides in how Sylius handles HTTP redirects. Three specific components—CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle()—trust the HTTP Referer header without proper validation. When a victim clicks a seemingly legitimate link on an attacker-controlled page, the browser automatically includes the attacker’s site URL as the Referer header when navigating to the Sylius application. Sylius then reads this header and redirects the user back to that URL. Because the redirect originates from a trusted domain (the Sylius shop), it can be leveraged for sophisticated phishing attacks or credential theft, as victims see a trusted URL in their address bar before being taken to the malicious site. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat .
dailycve form:
Platform: Sylius
Version: <1.9.12,<1.10.16,<1.11.17,<1.12.23,<1.13.15,<1.14.18,<2.0.16,<2.1.12,<2.2.3
Vulnerability: Open Redirect
Severity: 6.9 MEDIUM
date: 03/10/2026
Prediction: Patched versions available
What Undercode Say:
Analytics
The vulnerability affects all Sylius versions prior to the patch releases. To check if your Sylius installation is vulnerable, you can inspect the controller code:
Check if CurrencySwitchController uses Referer header
grep -r "Referer" vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Controller/CurrencySwitchController.php
Expected vulnerable code pattern
$referer = $request->headers->get('referer');
return $this->redirect($referer);
Exploit
An attacker can craft a malicious page that triggers the redirect:
<!-- attacker.html --> <a href="https://target-shop.com/en/currency/switch?code=USD">Click here for special offer!</a>
When the victim clicks this link, their browser sends a request to the Sylius shop with the Referer header set to the attacker’s domain. The vulnerable controller reads this header and redirects the user to `https://attacker.com/fake-login-page`.
A more direct exploit using curl:
Craft a request with a malicious Referer header curl -I -H "Referer: https://evil.com/phishing-page" \ "https://target-shop.com/en/currency/switch?code=USD"
Protection
1. Immediate Update: Upgrade to patched versions:
composer require sylius/sylius:^2.2.3 --update-with-dependencies
2. Code-Level Fix: If immediate update isn’t possible, implement validation:
// In affected controllers, validate the referer
$referer = $request->headers->get('referer');
if ($referer && parse_url($referer, PHP_URL_HOST) === $request->getHost()) {
return $this->redirect($referer);
}
return $this->redirectToRoute('sylius_shop_homepage');
3. Nginx Mitigation (partial):
Block external referers for sensitive endpoints
location ~ /(currency|impersonate|locale)/switch {
if ($http_referer !~ "^https?://yourdomain.com") {
return 403;
}
}
Impact
- Phishing Attacks: Attackers can create convincing phishing pages while showing a legitimate Sylius URL in the address bar before redirect
- Credential Theft: Users may enter credentials on fake login pages after being redirected from the trusted domain
- Admin Account Compromise: Admin users clicking links in emails or chats are equally vulnerable, potentially leading to backend access
- Session Exposure: The redirect may leak session tokens or authentication data to malicious sites through Referer headers
- Business Reputation Damage: Customers losing credentials through trusted shop URLs damages brand trust and may lead to financial fraud claims
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

