GHSA-55p7-v223-x366: IdentityServer Open Redirect vulnerability

July 31, 2024

It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.

References

github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98
github.com/IdentityServer/IdentityServer4
github.com/IdentityServer/IdentityServer4/security/advisories/GHSA-55p7-v223-x366
github.com/advisories/GHSA-55p7-v223-x366
nvd.nist.gov/vuln/detail/CVE-2024-39694

Detect and mitigate GHSA-55p7-v223-x366 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →