Severity by source
AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.
Impact
- Phishing: Redirect users to fake login pages to steal credentials
- Session Hijacking: Redirect to attacker site that captures session cookies via JavaScript
- Malware Distribution: Redirect to sites hosting malware or drive-by downloads
- Reputation Damage: Users lose trust when redirected to malicious sites from legitimate application
- Social Engineering: Use trusted Snipe-IT domain to increase phishing success rate
When the user clicks "Save", the application:
- Processes the form
- Checks
redirect_option(if set to 'back') - Calls
Helper::getRedirectOption() - Retrieves
back_urlfrom session:https://evil.com/phishing?target=snipeit - Executes
redirect()->to($backUrl) - User is redirected to attacker's site
This would still require session poisoning, so the actual practical threat here is minimal.
Patches
Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.
Workarounds
None.
Resources
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- OWASP: Unvalidated Redirects and Forwards
- Laravel Security: Safe Redirects
AnalysisAI
Open redirect vulnerability in Snipe-IT versions prior to 8.4.1 allows authenticated attackers to redirect users to malicious sites by poisoning the session-stored HTTP Referer header, enabling phishing, session hijacking, and malware distribution attacks. Exploitation requires prior session poisoning and user interaction (clicking a form submission), limiting real-world practical impact despite moderate CVSS score of 5.9. Vendor-released patch available in version 8.4.1.
Technical ContextAI
Snipe-IT is a Laravel-based IT asset management application. The vulnerability exists in the redirect logic chain: when processing form submissions with redirect_option set to 'back', the application calls Helper::getRedirectOption() which retrieves an unvalidated back_url parameter from the user's session variable and passes it directly to Laravel's redirect()->to($backUrl) function without URL validation. This violates CWE-601 (URL Redirection to Untrusted Site) by failing to implement whitelist-based or domain-validation checks on redirect destinations. The root cause is trust in session-stored data without re-validation at redirect time, assuming the session layer itself provides sufficient security boundaries.
RemediationAI
Vendor-released patch: upgrade Snipe-IT to version 8.4.1 or later. The fix implements URL validation via the commit e37649212861a337e68a624e589c3540b7a82373 to sanitize redirect destinations before execution. No workarounds are documented by the vendor. As a temporary compensating control pending upgrade, administrators can disable or restrict access to form submission endpoints that trigger the redirect functionality, or implement network-level controls to monitor and block redirects to external domains by inspecting HTTP Location headers in responses. However, these controls degrade application functionality and should only be considered as temporary measures. Apply the patch at the earliest convenient maintenance window; this is not a critical patch given the exploitation prerequisites.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31965
GHSA-mghp-5cq4-v6mg