Skip to main content

AuthKit Session CVE-2026-42565

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-05 https://github.com/workos/authkit-session GHSA-vvvv-983w-r7pv
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 19:32 vuln.today
Analysis Generated
May 05, 2026 - 19:32 vuln.today

DescriptionGitHub Advisory

An open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter.

The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback function decodes and returns returnPathname without enforcing restrictions on origin or scheme. As a result, attacker-controlled values (e.g., https://evil.com/, //evil.com, or similar variants) may be returned to the application.

If this value is used directly in a redirect (e.g., via an HTTP Location header, framework redirect helpers, or client-side navigation), it may cause the user to be redirected to an external, attacker-controlled site.

Security Impact This issue may be used to facilitate phishing or user redirection attacks by leveraging the trust of the originating domain. For example, an attacker could craft a link that directs a user through a legitimate authentication flow and then redirects them to an external site.

The severity depends on how returnPathname is used by the application. Exploitation requires:

  • The application to use returnPathname as a redirect target, and
  • The absence of downstream validation or allowlisting

This vulnerability does not enable authentication bypass, token disclosure, or direct account compromise on its own, but may increase the effectiveness of social engineering attacks when combined with user interaction.

Vulnerability Type CWE-601: URL Redirection to Untrusted Site (Open Redirect)

Patches Patched in https://github.com/workos/authkit-session/releases/tag/v0.5.1

AnalysisAI

Open redirect vulnerability in @workos/authkit-session allows unauthenticated remote attackers to redirect authenticated users to arbitrary external sites by crafting malicious OAuth state parameters. The AuthService.handleCallback function fails to validate the returnPathname value decoded from the state parameter, enabling attackers to embed external URLs (e.g., https://evil.com, //evil.com) that are returned directly in HTTP Location headers or client-side redirects. This facilitates phishing and social engineering attacks by leveraging trust in the legitimate domain. Patched in version 0.5.1.

Technical ContextAI

The vulnerability exists in the OAuth callback handling flow of @workos/authkit-session, an npm package for session management in authentication workflows. The OAuth 2.0 state parameter is a security mechanism designed to prevent CSRF attacks by round-tripping application state through the identity provider (IdP). However, the AuthService.handleCallback function in versions before 0.5.1 decodes the returnPathname value from this state parameter without enforcing origin or URL scheme restrictions. The underlying root cause is CWE-601 (URL Redirection to Untrusted Site), where unsanitized user input is used directly in a redirect context. The fix implements a sanitizeReturnPathname utility function that parses untrusted input against a throwaway origin using the WHATWG URL parser, extracting only the pathname, search, and hash components while discarding any scheme or host. This ensures that only same-origin relative paths (e.g., /dashboard?tab=settings) are returned, while absolute URLs, protocol-relative URLs (//evil.com), scheme-based URLs (javascript:, data:, ftp:), and various smuggling techniques (backslash, null-byte, URL-encoding variants) are neutralized.

RemediationAI

Vendor-released patch: upgrade @workos/authkit-session to version 0.5.1 or later. The patch introduces a sanitizeReturnPathname utility function that normalizes untrusted return-path values by parsing them against a throwaway origin and extracting only the pathname, search, and hash components, neutralizing absolute URLs, protocol-relative URLs, and various URL-encoding and scheme smuggling techniques. Update your package.json dependency and run npm install or equivalent package manager update. If upgrading is not immediately possible, implement a downstream allowlist of permitted redirect destinations before using returnPathname in any redirect operation-explicitly validate that returnPathname begins with a single forward slash and does not contain any scheme or domain components. However, relying solely on allowlisting introduces maintenance risk if paths are added without proper security review, so patching should be prioritized. The patch has been verified via the GitHub commit f56e1d6214a93160759e5677b7a3d772b244db39, which also adds comprehensive unit tests covering absolute URLs, protocol-relative URLs, backslash smuggling, scheme-based attacks, and character-based smuggling (null-byte, URL-encoding variants).

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-42565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy