Snipe-IT EUVD-2026-31965

Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.

Impact

• Phishing: Redirect users to fake login pages to steal credentials
• Session Hijacking: Redirect to attacker site that captures session cookies via JavaScript
• Malware Distribution: Redirect to sites hosting malware or drive-by downloads
• Reputation Damage: Users lose trust when redirected to malicious sites from legitimate application
• Social Engineering: Use trusted Snipe-IT domain to increase phishing success rate

When the user clicks "Save", the application:

1. Processes the form
2. Checks redirect_option (if set to 'back')
3. Calls Helper::getRedirectOption()
4. Retrieves back_url from session: https://evil.com/phishing?target=snipeit
5. Executes redirect()->to($backUrl)
6. User is redirected to attacker's site

This would still require session poisoning, so the actual practical threat here is minimal.

Patches

Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.

Workarounds

None.

Resources

• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
• OWASP: Unvalidated Redirects and Forwards
• Laravel Security: Safe Redirects

snipeit_open_redirect_submission.md