Listen to this Post
The vulnerability arises from how WebOb normalizes the HTTP `Location` header. When generating a redirect response, WebOb attempts to ensure the `Location` header includes the request hostname. To do this, it takes the user-supplied redirect path and joins it to the base URL using Python’s urllib.parse.urljoin(). The `urlsplit()` function, called internally by urljoin(), treats a string starting with `//` as a scheme-less URI, interpreting the following part as the hostname. Consequently, `urljoin()` will replace the original request’s hostname with the hostname from the second part of the string.
A previous advisory (GHSA-mg3v-6m49-jhp3, CVE-2024-42353) attempted to mitigate this by replacing any occurrence of `//` with /%2f. However, this fix failed to account for a behavior introduced in Python 3.10: `urlsplit()` now internally strips ASCII tab (\t), carriage return (\r), and newline (\n) characters from the input string. An attacker can exploit this by providing a redirect location containing a tab character before the attacker-controlled domain, for example /\t/attacker.com. While the previous fix would replace the `//` in such a string, the tab character remains. However, when `urlsplit()` processes the string, it strips the tab, turning `/\t/attacker.com` into //attacker.com. This effectively recreates the original scheme-less URI, bypassing the earlier patch and re-introducing the open redirect vulnerability.
The following Python session demonstrates the issue:
<blockquote>
<blockquote>
<blockquote>
from urllib.parse import urljoin
urljoin("https://example.org/", "/\t/attacker.com/some/path/")
'https://attacker.com/some/path/'
This shows that a request to https://example.org/` with a redirect to `/\t/attacker.com/some/path/` would redirect the user tohttps://attacker.com/`, an attacker-controlled site.
DailyCVE Form:
Platform: WebOb (Python)
Version: <=1.8.9
Vulnerability : Open Redirect
Severity: Medium (6.1)
date: 2026-06-04
Prediction: Patched v1.8.10
What Undercode Say:
Simulate a vulnerable endpoint with a malicious Location header curl -i -H "Location: /\t/evil.com/redirect" http://target-app/redirect-endpoint
Demonstrate the vulnerability in Python
from urllib.parse import urljoin
target = urljoin("https://victim.com/", "/\t/evil.com/phish")
print(target) Output: https://evil.com/phish
Exploit:
An attacker crafts a URL containing a tab character (%09) followed by an attacker-controlled domain, e.g., /\t/evil.com/login. When a user visits a vulnerable endpoint that redirects based on user input (e.g., a `next` parameter), WebOb normalizes the `Location` header, the tab is stripped, and the redirect target becomes //evil.com/login. The user is then redirected to evil.com, potentially to a phishing page that mimics the legitimate site.
Protection:
- Upgrade WebOb to version 1.8.10 or later.
- If upgrading is not possible, validate all redirect targets before assigning to
Response.location. Ensure they begin with a scheme (http://` orhttps://`) or are relative to a trusted domain. - Alternatively, always pass a full, absolute URI including the hostname when setting a redirect location.
Impact:
Successful exploitation leads to an open redirect. An attacker can redirect a user from a trusted site to any arbitrary site, facilitating phishing attacks, credential theft, or malware distribution. The CVSS v3.1 score is 6.1 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
