How to fix CVE-2024-21641?

Within 7 days: Identify affected systems and apply vendor patches promptly. Vendor patch is available.

Is Open Redirect affected by CVE-2024-21641?

Organizations using Flarum should be aware of notable risk from CVE-2024-21641 rated CVSS 6.5. Exploitation could compromise the security of affected deployments. With an EPSS score of 33%, this vulnerability has elevated exploitation probability.

Open Redirect CVE-2024-21641

MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2024-01-05 [email protected]

Open Redirect Flarum

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:33 vuln.today

Patch released

Mar 28, 2026 - 19:33 nvd

Patch available

CVE Published

Jan 05, 2024 - 21:15 nvd

MEDIUM 6.5

DescriptionNVD

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe.

AnalysisAI

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 32.8%.

Technical ContextAI

This vulnerability is classified as Open Redirect (CWE-601), which allows attackers to redirect users to malicious websites via URL manipulation. Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe. Affected products include: Flarum. Version information: version 1.8.5.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate redirect destinations against an allowlist, avoid using user input in redirect URLs.

CVE-2024-21641 vulnerability details – vuln.today

Back

Open Redirect CVE-2024-21641

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code