CVE-2025-62379
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-62379
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62379.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-62379
- Aliases
- Published
- 2025-10-15T15:57:57.208Z
- Modified
- 2025-12-02T20:16:49.205139Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Open Redirect in reflex-dev/reflex
- Details
-
Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a GitHub Codespaces environment. This allows attackers to redirect users to arbitrary external URLs. The vulnerable route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. The same behavior can be activated in production if the GITHUBCODESPACESPORTFORWARDINGDOMAIN environment variable is set. The vulnerability occurs because the code assigns the redirectto query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains. The execution condition is based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place. This issue has been patched in version 0.8.15. As a workaround, users can ensure that GITHUBCODESPACESPORTFORWARDINGDOMAIN is not set in a production environment.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62379.json", "cwe_ids": [ "CWE-601" ] }- References