-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| friendsofsymfony/oauth2-php | composer | < 1.3.0 | 1.3.0 |
The vulnerability stemmed from improper URI validation in the validateRedirectUri method. The pre-patch implementation (strcasecmp(substr(...)) check) allowed partial domain matches, while the patch introduced exact host/port validation via parse_url(). The added test cases in OAuth2Test.php demonstrate scenarios where subdomain/port manipulation would bypass security without this exact check. The function's direct modification in the security patch confirms its role in the vulnerability.
Ongoing coverage of React2Shell