Summary
There is an open redirect in the @keystone-6/auth package, where the redirect leading / filter can be bypassed.
Impact
Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.
Mitigations
- Don't use the
@keystone-6/auth package
References
Similar Vulnerability Reports
Credits
Thanks to morioka12 for reporting this problem.
If you have any questions around this security advisory, please don't hesitate to contact us at security@keystonejs.com, or open an issue on GitHub.
If you have a security flaw to report for any software in this repository, please see our SECURITY policy.
Summary
There is an open redirect in the
@keystone-6/authpackage, where the redirect leading/filter can be bypassed.Impact
Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.
Mitigations
@keystone-6/authpackageReferences
Similar Vulnerability Reports
Credits
Thanks to morioka12 for reporting this problem.
If you have any questions around this security advisory, please don't hesitate to contact us at security@keystonejs.com, or open an issue on GitHub.
If you have a security flaw to report for any software in this repository, please see our SECURITY policy.