GHSA-x3f4-v83f-7wp2: Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri
Hi,
I found that 6 endpoints in Authorizer accept a user-controlled redirect_uri and append sensitive tokens to it without validating the URL against AllowedOrigins. The OAuth /app handler validates redirect_uri at http_handlers/app.go:46, but the GraphQL mutations and verify_email handler skip validation entirely. An attacker can steal password reset tokens, magic link tokens, and full auth sessions (access_token + id_token + refresh_token) by pointing redirect_uri to their server. Verified against HEAD (commit 73679fa).
References
- github.com/advisories/GHSA-x3f4-v83f-7wp2
- github.com/authorizerdev/authorizer
- github.com/authorizerdev/authorizer/commit/6d9bef1aaba3f867f8c769b93eb7fc80e4e7b0a2
- github.com/authorizerdev/authorizer/pull/502
- github.com/authorizerdev/authorizer/releases/tag/2.0.1
- github.com/authorizerdev/authorizer/security/advisories/GHSA-x3f4-v83f-7wp2
Code Behaviors & Features
Detect and mitigate GHSA-x3f4-v83f-7wp2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →