CVE-2025-62379

<!-- CVE-2025-62379 Proof of Concept --> <!-- Open Redirect via /auth-codespace endpoint --> <!-- Malicious URL example --> <!-- https://victim-reflex-app.com/auth-codespace?redirect_to=https://evil-phishing-site.com --> <!-- HTML snippet demonstrating the vulnerable behavior --> <!DOCTYPE html> <html> <head> <title>Auth Codespace</title> </head> <body> <!-- The vulnerable code assigns redirect_to directly to href without validation --> <a id="auto-redirect-link" href="">Redirecting...</a> <script> // Simulate the vulnerable behavior const urlParams = new URLSearchParams(window.location.search); const redirectTo = urlParams.get('redirect_to'); // No validation performed on redirect_to parameter if (redirectTo) { const linkElement = document.getElementById('auto-redirect-link'); linkElement.href = redirectTo; // Direct assignment without validation linkElement.click(); // Automatic click triggers navigation } </script> </body> </html> <!-- Python/Reflex vulnerable route example (for reference) --> <!-- @app.route("/auth-codespace") def auth_codespace(): redirect_to = request.args.get("redirect_to") # No validation! return f'<a href="{redirect_to}" id="link">Click</a><script>document.getElementById("link").click();</script>' -->

{"cve": {"id": "CVE-2025-62379", "sourceIdentifier": "[email protected]", "published": "2025-10-15T16:15:36.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a GitHub Codespaces environment. This allows attackers to redirect users to arbitrary external URLs. The vulnerable route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. The same behavior can be activated in production if the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set. The vulnerability occurs because the code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains. The execution condition is based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place. This issue has been patched in version 0.8.15. As a workaround, users can ensure that GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in a production environment."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/reflex-dev/reflex/commit/ade12549f3c0ddab3d7382c581bc04a3c1f989ec", "source": "[email protected]"}, {"url": "https://github.com/reflex-dev/reflex/security/advisories/GHSA-rfh5-c9h5-q8jm", "source": "[email protected]"}]}}