GHSA-564j-v29w-rqr6: Khoj Open Redirect Vulnerability in Login Page

July 8, 2024

An attacker can use the next parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking app.khoj.dev url. For example, https://app.khoj.dev/login?next=//example.com will redirect to the https://example.com page.

References

github.com/advisories/GHSA-564j-v29w-rqr6
github.com/khoj-ai/khoj
github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py
github.com/khoj-ai/khoj/commit/4daf16e5f916641304e11d56a6071ad365c21a18
github.com/khoj-ai/khoj/security/advisories/GHSA-564j-v29w-rqr6

Code Behaviors & Features

Detect and mitigate GHSA-564j-v29w-rqr6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →