AuthKit Session CVE-2026-42565
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
An open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter.
The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback function decodes and returns returnPathname without enforcing restrictions on origin or scheme. As a result, attacker-controlled values (e.g., https://evil.com/, //evil.com, or similar variants) may be returned to the application.
If this value is used directly in a redirect (e.g., via an HTTP Location header, framework redirect helpers, or client-side navigation), it may cause the user to be redirected to an external, attacker-controlled site.
Security Impact This issue may be used to facilitate phishing or user redirection attacks by leveraging the trust of the originating domain. For example, an attacker could craft a link that directs a user through a legitimate authentication flow and then redirects them to an external site.
The severity depends on how returnPathname is used by the application. Exploitation requires:
- The application to use
returnPathnameas a redirect target, and - The absence of downstream validation or allowlisting
This vulnerability does not enable authentication bypass, token disclosure, or direct account compromise on its own, but may increase the effectiveness of social engineering attacks when combined with user interaction.
Vulnerability Type CWE-601: URL Redirection to Untrusted Site (Open Redirect)
Patches Patched in https://github.com/workos/authkit-session/releases/tag/v0.5.1
AnalysisAI
Open redirect vulnerability in @workos/authkit-session allows unauthenticated remote attackers to redirect authenticated users to arbitrary external sites by crafting malicious OAuth state parameters. The AuthService.handleCallback function fails to validate the returnPathname value decoded from the state parameter, enabling attackers to embed external URLs (e.g., https://evil.com, //evil.com) that are returned directly in HTTP Location headers or client-side redirects. This facilitates phishing and social engineering attacks by leveraging trust in the legitimate domain. Patched in version 0.5.1.
Technical ContextAI
The vulnerability exists in the OAuth callback handling flow of @workos/authkit-session, an npm package for session management in authentication workflows. The OAuth 2.0 state parameter is a security mechanism designed to prevent CSRF attacks by round-tripping application state through the identity provider (IdP). However, the AuthService.handleCallback function in versions before 0.5.1 decodes the returnPathname value from this state parameter without enforcing origin or URL scheme restrictions. The underlying root cause is CWE-601 (URL Redirection to Untrusted Site), where unsanitized user input is used directly in a redirect context. The fix implements a sanitizeReturnPathname utility function that parses untrusted input against a throwaway origin using the WHATWG URL parser, extracting only the pathname, search, and hash components while discarding any scheme or host. This ensures that only same-origin relative paths (e.g., /dashboard?tab=settings) are returned, while absolute URLs, protocol-relative URLs (//evil.com), scheme-based URLs (javascript:, data:, ftp:), and various smuggling techniques (backslash, null-byte, URL-encoding variants) are neutralized.
RemediationAI
Vendor-released patch: upgrade @workos/authkit-session to version 0.5.1 or later. The patch introduces a sanitizeReturnPathname utility function that normalizes untrusted return-path values by parsing them against a throwaway origin and extracting only the pathname, search, and hash components, neutralizing absolute URLs, protocol-relative URLs, and various URL-encoding and scheme smuggling techniques. Update your package.json dependency and run npm install or equivalent package manager update. If upgrading is not immediately possible, implement a downstream allowlist of permitted redirect destinations before using returnPathname in any redirect operation-explicitly validate that returnPathname begins with a single forward slash and does not contain any scheme or domain components. However, relying solely on allowlisting introduces maintenance risk if paths are added without proper security review, so patching should be prioritized. The patch has been verified via the GitHub commit f56e1d6214a93160759e5677b7a3d772b244db39, which also adds comprehensive unit tests covering absolute URLs, protocol-relative URLs, backslash smuggling, scheme-based attacks, and character-based smuggling (null-byte, URL-encoding variants).
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vvvv-983w-r7pv