+ "details": "### Mitigation\n\nMake sure `GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN` is not set in a production environment. So the following is correct:\n\n```\nassert os.getenv(\"GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN\") is None\n```\n\n### **Vulnerability Description**\n\n---\n\n**Vulnerability Overview**\n \n- When the GET /auth-codespace page loads in a GitHub Codespaces environment, it automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks. This allows attackers to redirect users to arbitrary external URLs.\n- The route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. This means that the same behavior can be activated in production if the corresponding environment variable is set.\n\n**Vulnerable Code Analysis**\n \n\nhttps://github.com/reflex-dev/reflex/blob/51f9f2c2f52cac4d66c07683a12bc0237311b6be/reflex/utils/codespaces.py#L18-L46\n\n- This code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains, resulting in an open redirect vulnerability.\n- The execution condition is simply based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place.\n\n### PoC\n\n---\n\n**PoC Description**\n \n\n<img width=\"623\" height=\"497\" alt=\"image\" src=\"https://github.com/user-attachments/assets/55ef4828-09fa-451b-a7cc-8fcaad6a2a21\" />\n\n\n- Used the production configuration from docker-example (docker-example/production-compose).\n- Added a Codespaces detection environment variable to the app container in compose.yaml to forcibly expose the route.\n- GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN: dummy\n- The reverse proxy (Caddy) needs to be configured to forward /auth-codespace to the backend (required depending on the environment).\n\n**curl Example**\n\n\n```\nhttps://localhost/auth-codespace?redirect_to=http://google.com\n```\n\n**PoC MP4**\nhttps://file.notion.so/f/f/d105d145-04bc-45c5-b46c-ed880895e9de/a86c3e3b-f67f-45d1-8fa2-4aa0ba7d0068/poc.mp4?table=block&id=26955717-5d2e-805a-b53c-e25ee03f1d4b&spaceId=d105d145-04bc-45c5-b46c-ed880895e9de&expirationTimestamp=1760508000000&signature=ZPp8PVldfGOh0gB5tVElRV6GN789R-EG0oxZgkFjjLU&downloadName=poc.mp4\n\n<img width=\"1917\" height=\"949\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e565dc4e-a59b-44d4-a92a-ebf128489e88\" />\n\n<img width=\"1913\" height=\"977\" alt=\"image\" src=\"https://github.com/user-attachments/assets/496fa585-76ea-4d2d-80f8-0ab79f51229e\" />\n\n\n\n\n### Impact\n\n---\n\n**Phishing/Social Engineering Attacks**\n\n\nUsers can be exploited by immediately redirecting from a trusted domain to external malicious sites, taking advantage of user trust. This enables login page spoofing, credential harvesting, and redirection to malware distribution pages.\n\n**Authentication/Session Flow Disruption**\n \n\nWhen users with valid sessions/cookies from the same origin click the link, they are redirected to unintended external domains, which can bypass or disrupt authentication/authorization flows. When combined with redirect-based flows like OAuth/OIDC, this can escalate into security incidents.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments