GHSA-w2j7-f3c6-g8cw: Flask-Security has an Open Redirect issue
flask_security.utils.validate_redirect_url() can allow an attacker-controlled redirect URL when subdomain redirects are enabled.
The bypass uses a backslash inside the URL authority/host:
http://evil.com\.whitelist.com
http://evil.com%5C.whitelist.com
Python’s urlsplit() parses the full authority as evil.com\.whitelist.com or evil.com%5C.whitelist.com. Because the value ends with .whitelist.com, validate_redirect_url() accepts it as an allowed subdomain of whitelist.com.
This is similar in class to the previous Flask-Security-Too open redirect advisory CVE-2023-49438 / GHSA-672h-6x89-76m5, where crafted redirect URLs bypassed validation through browser URL normalization behavior.
References
Code Behaviors & Features
Detect and mitigate GHSA-w2j7-f3c6-g8cw with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →