GHSA-w832-gg5g-x44m

Source

https://github.com/advisories/GHSA-w832-gg5g-x44m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-w832-gg5g-x44m/GHSA-w832-gg5g-x44m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w832-gg5g-x44m

Published

2025-11-06T15:13:33Z

Modified

2025-11-06T15:27:46.674881Z

Severity

0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator

Summary

Open redirect endpoint in Datasette

Details

Impact

Deployed instances of Datasette prior to 0.65.2 and 1.0a21 include an open redirect vulnerability.

Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar.

Patches

This problem has been patched in both Datasette 0.65.2 and 1.0a21.

Workarounds

If Datasette is running behind a proxy that proxy could be configured to replace // with / in incoming request URLs.

Database specific

{
    "nvd_published_at": null,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-06T15:13:33Z"
}

References

Affected packages

PyPI / datasette

Package

Name: datasette; View open source insights on deps.dev
Purl: pkg:pypi/datasette

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.65.2

Affected versions

0.*

0.8

0.9

0.10

0.11

0.12

0.13

0.14

0.15

0.16

0.17

0.18

0.19

0.20

0.21

0.22

0.22.1

0.23

0.23.1

0.23.2

0.24

0.25

0.25.1

0.25.2

0.26

0.26.1

0.26.2

0.27

0.27.1

0.28

0.29

0.29.1

0.29.2

0.29.3

0.30

0.30.1

0.30.2

0.31

0.31.1

0.31.2

0.32

0.33

0.34

0.35

0.36

0.37

0.37.1

0.38

0.39

0.40

0.41

0.42

0.43

0.44

0.45a0

0.45a1

0.45a2

0.45a3

0.45a4

0.45a5

0.45

0.46

0.47

0.47.1

0.47.2

0.47.3

0.48

0.49a0

0.49a1

0.49

0.49.1

0.50a0

0.50a1

0.50

0.50.1

0.50.2

0.51a0

0.51a1

0.51a2

0.51

0.51.1

0.52

0.52.1

0.52.2

0.52.3

0.52.4

0.52.5

0.53

0.54a0

0.54

0.54.1

0.55

0.56

0.56.1

0.57a0

0.57a1

0.57

0.57.1

0.58a0

0.58a1

0.58

0.58.1

0.59a0

0.59a1

0.59a2

0.59

0.59.1

0.59.2

0.59.3

0.59.4

0.60a0

0.60a1

0.60

0.60.1

0.60.2

0.61a0

0.61

0.61.1

0.62a0

0.62a1

0.62

0.63a0

0.63a1

0.63

0.63.1

0.63.2

0.63.3

0.64

0.64.1

0.64.2

0.64.3

0.64.4

0.64.5

0.64.6

0.64.7

0.64.8

0.65

0.65.1

PyPI / datasette

Package

Name: datasette; View open source insights on deps.dev
Purl: pkg:pypi/datasette

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0a0

Fixed

1.0a21

Affected versions

1.*

1.0a0

1.0a1

1.0a2

1.0a3

1.0a4

1.0a5

1.0a6

1.0a7

1.0a8

1.0a9

1.0a10

1.0a11

1.0a12

1.0a13

1.0a14

1.0a15

1.0a16

1.0a17

1.0a18

1.0a19

1.0a20

Database specific

last_known_affected_version_range

"< 1.0a20"