Skip to main content

waku CVE-2026-49456

LOW
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-07-08 https://github.com/wakujs/waku GHSA-43fc-v873-qw85
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

AC:L because crafting the exploit URL is trivial once vulnerable code is deployed; UI:R requires victim click; no direct C or A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 22:01 vuln.today

DescriptionGitHub Advisory

Summary

The unstable_redirect() helper exported from waku/router/server (packages/waku/src/router/define-router.tsx:156-161) accepts an arbitrary string and reflects it unchanged into the HTTP Location response header with no URL validation, scheme restriction, or path-only enforcement. Any application that passes user-controlled input to this helper - the natural pattern documented in the JSDoc and official fixtures - is vulnerable to open redirect attacks. An attacker who convinces a victim to click a crafted link can silently redirect the browser to an arbitrary external domain, enabling phishing, credential harvesting, and OAuth token theft. Additionally, scheme-relative URLs (//evil.example/) bypass naive https?://-only allow-list filters that developers might add as ad-hoc mitigations.

Dynamic PoC confirmed against waku 1.0.0-beta.0 (commit 8e9f542) in an isolated Docker environment. Two independent dynamic runs produced identical results.

---

Root Cause

packages/waku/src/router/define-router.tsx:156-161:

ts
export function unstable_redirect(
  location: string, // only URL `pathname` is supported.
  status: 303 | 307 | 308 = 307,
): never {
  throw createCustomError('Redirect', { status, location });
}

The JSDoc comment states "only URL pathname is supported", but this constraint is expressed as documentation only - the function performs no validation. The location value propagates via createCustomError (custom-errors.ts:22-26) into an error digest, is recovered by getErrorInfo in the request handler (handler.ts:79-89), and reflected directly into headers.location of the outgoing Response with no sanitization:

ts
if (info?.location) {
  headers.location = info.location;   // handler.ts:87 - unvalidated reflection
}
return new Response(body, { status, headers });

---

Trigger (one-line summary)

Any developer-supplied user input passed to unstable_redirect() is reflected unchanged into the HTTP Location header, enabling navigation to an attacker-controlled domain.

---

Affected Entry Surfaces

  • unstable_redirect(location, status?) - waku/router/server public export
  • Any page/route component that passes searchParams, query, or other user-

controlled strings to unstable_redirect (the standard post-login or callback redirect pattern)

  • All waku adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno) share the same

handler.ts reflection path; cross-runtime CRLF parity is unaudited (see note below)

---

Additional Defense-in-Depth Concern

On Node.js, CRLF injection via the Location header is rejected by node:_http_outgoing.setHeader (ERR_INVALID_CHAR). This defense is platform-specific and not present in the waku source. Cloudflare Workers, Deno Deploy, and other edge runtimes have not been verified to offer equivalent protection. A cross-runtime audit is recommended.

---

Suggested Fix Outline

Validate the location argument inside unstable_redirect before the error is thrown: reject any value that does not begin with a single / (no //), and reject any value containing control characters (\x00-\x1f). An opt-in allow-list for intentional cross-origin redirects can be provided via a framework configuration option.

---

Disclosure

FieldValue
Reporterj0hndo (dohyun4466@gmail.com)
Discovery date2026-05-17
Embargo90 days from acknowledgment
Patched versionNot yet available
Public referencesCWE-601; OWASP A01:2021

AnalysisAI

Open redirect in waku's unstable_redirect() server-side router helper allows a network attacker to redirect victims' browsers to arbitrary external domains - including phishing sites for credential harvesting and OAuth token theft - by injecting a malicious location string into any waku route that passes user-controlled query parameters to the function. The vulnerability affects waku 1.0.0-beta.0 across all supported runtime adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno), as the reflection path in handler.ts is shared. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL embedding malicious redirect parameter
Delivery
Deliver phishing link to target victim
Exploit
Victim clicks link and requests vulnerable waku endpoint
Execution
Application passes query param unvalidated to unstable_redirect()
Persist
handler.ts reflects value directly into Location header
Impact
Browser follows 307 redirect to attacker-controlled phishing domain

Vulnerability AssessmentAI

Exploitation Exploitation requires that an application developer has written code that passes user-controlled input - such as a URL query parameter (`?next=`, `?redirect=`, `?returnTo=`) - directly to `unstable_redirect()` without prior sanitization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) yields a base score of 3.1, classified Low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a waku application with a post-login redirect endpoint that passes a `next` or `returnTo` query parameter to `unstable_redirect()`, crafts a URL such as `/login?next=//evil.example/harvest`, and distributes it via phishing email. When a victim clicks the link, authenticates, and the server calls `unstable_redirect(req.query.next)`, the browser receives a 307 response with `Location: //evil.example/harvest` and navigates silently to the attacker's credential-harvesting page. …
Remediation No vendor-released patch has been confirmed at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-49456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy