6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49438

GHSA ID

GHSA-672h-6x89-76m5

EPSS Score

0.42718%

CWE

CWE-601

Published

12/27/2023

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49438

CVE-2023-49438:
Open redirect vulnerability in Flask-Security-Too

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

Flask-Security-Too contains logic to validate that the URL specified within the next parameter is either relative or has the same network location as the requesting URL in an attempt to prevent open redirections. Previously known examples that bypassed the validation logic such as https://example/login?next=\\\\\\github.com were patched in version 4.1.0

However, examples such as https://example/login?next=/\\github.com and https://example/login?next=\\/github.com were discovered due to how web browsers normalize slashes in URLs, which makes the package vulnerable through version <=5.3.2

Additionally, with Werkzeug >=2.1.0 the autocorrect_location_header configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49438

GHSA ID

GHSA-672h-6x89-76m5

EPSS Score

0.42718%

CWE

CWE-601

Published

12/27/2023

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Flask-Security-Too	pip	< 5.3.3	5.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation of the 'next' parameter in redirect logic. Key points:

The core validation function (validate_redirect_url) failed to account for browser slash normalization patterns like '/' and '/'.
The login/register view handlers directly use this validation when processing redirects.
Werkzeug >=2.1.0's default behavior (disabling autocorrect_location_header) exacerbated the issue by allowing relative redirects.
The patch involved strengthening the regex validation, confirming the vulnerability was in the redirect validation workflow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n op*n r**ir**t vuln*r**ility in t** pyt*on p**k*** *l*sk-S**urity-Too <=*.*.* *llows *tt**k*rs to r**ir**t unsusp**tin* us*rs to m*li*ious sit*s vi* * *r**t** URL *y **usin* t** ?n*xt p*r*m*t*r on t** /lo*in *n* /r**ist*r rout*s. *l*sk-S**urity-To

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion o* t** 'n*xt' p*r*m*t*r in r**ir**t lo*i*. K*y points: *. T** *or* v*li**tion *un*tion (v*li**t*_r**ir**t_url) **il** to ***ount *or *rows*r sl*s* norm*liz*tion p*tt*rns lik* '/\' *n* '\/'. *. T**

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-49438: Open redirect vulnerability in Flask-Security-Too

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-49438:
Open redirect vulnerability in Flask-Security-Too

Vulnerability Intelligence
Miggo AI