4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wcx9-ccpj-hx3c

GHSA-wcx9-ccpj-hx3c: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect')

Summary

An issue on Coder's login page allows attackers to craft a Coder URL that when clicked by a logged in user could redirect them to a website the attacker controls, e.g. https://google.com.

Details

On the login page, Coder checks for the presence of a redirect query parameter. On successful login, the user would be redirected to the location of the parameter. Improper sanitization allows attackers to specify a URL outside of the Coder application to redirect users to.

Impact

Coder users could potentially be redirected to a untrusted website if tricked into clicking a URL crafted by the attacker. Coder authentication tokens are not leaked to the resulting website.

To check if your deployment is vulnerable, visit the following URL for your Coder deployment:

https://<coder url>/login?redirect=https%3A%2F%2Fcoder.com%2Fdocs

Patched Versions

This vulnerability is remedied in

v2.16.1
v2.15.3
v2.14.4

All versions prior to 2.3.1 are not affected.

Thanks

https://github.com/jchristov

References

https://github.com/coder/coder/security/advisories/GHSA-wcx9-ccpj-hx3c https://github.com/coder/coder/commit/69c1d981e3131e50d52b01f6a360abadaad699e6

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-wcx9-ccpj-hx3c

GHSA-wcx9-ccpj-hx3c:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/coder/coder/v2	go	= 2.16.0	2.16.1
github.com/coder/coder/v2	go	>= 2.15.0, < 2.15.3	2.15.3
github.com/coder/coder/v2	go	>= 2.3.1, < 2.14.4	2.14.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an open redirect caused by an unsanitized redirect query parameter. The analysis of the provided commit patch (69c1d981e3131e50d52b01f6a360abadaad699e6) shows changes in two key files:

site/src/pages/LoginPage/LoginPage.tsx: The LoginPage component contained the actual redirection logic. Before the patch, it used the redirectTo parameter (obtained from the URL) directly in navigation components (<Navigate>) or window.location.href assignments. This direct usage of an unsanitized external parameter is the core of the vulnerability. The patch modifies this component to sanitize the redirectTo URL before using it.
site/src/pages/LoginPage/LoginPageView.tsx: This file shows that a utility function retrieveRedirect (imported from utils/redirect) was previously used to extract the redirectTo value from the URL's search parameters (location.search). This function is identified as processing the potentially malicious input. The patch refactors how redirectTo is obtained and passed, removing the direct call to retrieveRedirect in this view component.

Therefore, LoginPage is identified as the function containing the vulnerable redirection code, and retrieveRedirect is identified as the function that processed the malicious input (the redirect URL).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-wcx9-ccpj-hx3c: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect')

Summary

Details

Impact

Patched Versions

Thanks

References

GHSA-wcx9-ccpj-hx3c:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.3

4.3

GHSA-wcx9-ccpj-hx3c: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect')

Summary

Details

Impact

Patched Versions

Thanks

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI