-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| datasette | pip | < 0.65.2 | 0.65.2 |
| datasette | pip | >= 1.0a0, < 1.0a20 | 1.0a21 |
Miggo AIRoot Cause AnalysisThe vulnerability is an open redirect within the handle_404 function in datasette/app.py. The function is responsible for handling 404 Not Found errors. When a request is made to a path that does not exist but ends with a /, the application logic attempts to redirect the user to the same path without the trailing slash. The vulnerability is triggered when a malicious actor crafts a URL where the path starts with // followed by a domain they control (e.g., //example.com). The application fails to sanitize this input and includes it in the Location header of the redirect response. Modern browsers interpret a Location header starting with // as a protocol-relative URL, causing a redirect to the external domain. The patch addresses this by using a regular expression to replace any number of leading slashes with a single slash, ensuring that the redirect is always to a path on the same domain.
Datasette.handle_404datasette/app.py
PythonPythonOngoing coverage of React2Shell