CVE-2025-62379: reflex-dev/reflex has an Open Redirect vulnerability
Phishing/Social Engineering Attacks
Users can be exploited by immediately redirecting from a trusted domain to external malicious sites, taking advantage of user trust. This enables login page spoofing, credential harvesting, and redirection to malware distribution pages.
Authentication/Session Flow Disruption
When users with valid sessions/cookies from the same origin click the link, they are redirected to unintended external domains, which can bypass or disrupt authentication/authorization flows. When combined with redirect-based flows like OAuth/OIDC, this can escalate into security incidents.
References
- file.notion.so/f/f/d105d145-04bc-45c5-b46c-ed880895e9de/a86c3e3b-f67f-45d1-8fa2-4aa0ba7d0068/poc.mp4?table=block&id=26955717-5d2e-805a-b53c-e25ee03f1d4b&spaceId=d105d145-04bc-45c5-b46c-ed880895e9de&expirationTimestamp=1760508000000&signature=ZPp8PVldfGOh0gB5tVElRV6GN789R-EG0oxZgkFjjLU&downloadName=poc.mp4
- github.com/advisories/GHSA-rfh5-c9h5-q8jm
- github.com/reflex-dev/reflex
- github.com/reflex-dev/reflex/blob/51f9f2c2f52cac4d66c07683a12bc0237311b6be/reflex/utils/codespaces.py
- github.com/reflex-dev/reflex/security/advisories/GHSA-rfh5-c9h5-q8jm
- nvd.nist.gov/vuln/detail/CVE-2025-62379
Code Behaviors & Features
Detect and mitigate CVE-2025-62379 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →