GHSA-H5G6-XMH4-HC37

Vulnerability from github – Published: 2026-07-09 23:19 – Updated: 2026-07-09 23:19
VLAI
Summary
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect
Details

Summary

The restrictions on redirect URLs in openrun can be bypassed by attackers, leading to open redirect attacks.

Details

In the current project, the referrer header value is used for subsequent redirects, so there is currently a validation for this redirect value. The current validation logic requires that the host and schema of the redirect URL be the same as the current website's URL, and finally, the path part is used for redirection. This check seems robust, but it can still be bypassed by attackers.

QQ20260602-140205-2-2

Here's the problem: Assuming the current website is http://127.0.0.1:25222/, if the attacker passes in a redirect URL of http://127.0.0.1:25222//fushuling.com, its host and schema are obviously the same as the current website, thus bypassing the verification. However, the issue lies in the final redirect URL, which is the path part of the URL, i.e., //fushuling.com.

Browsers automatically complete the HTTP header for URLs starting with //, ultimately successfully bypassing the restriction and redirecting to the external address http://fushuling.com.

This vulnerable behavior was successfully reproduced locally. Normally, specifying an external address directly will be blocked, so it will not redirect.

QQ20260602-140756-2-3

However, if the redirect URL is http://127.0.0.1:25222//fushuling.com, the existing validation logic is bypassed, and the Location header is successfully set to //fushuling.com.

POST /redirecttest/abc/frag HTTP/1.1
Host: 127.0.0.1:25222
Referer: http://127.0.0.1:25222//fushuling.com
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

QQ20260602-140925-2-4

The user was then successfully redirected to the external address http://fushuling.com.

QQ20260602-141005-2-5

PoC

http://127.0.0.1:25222//fushuling.com

Impact

Open Redirect

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openrundev/openrun"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T23:19:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe restrictions on redirect URLs in `openrun` can be bypassed by attackers, leading to open redirect attacks.\n\n### Details\n\nIn the current project, the referrer header value is used for subsequent redirects, so there is currently a validation for this redirect value. The current validation logic requires that the host and schema of the redirect URL be the same as the current website\u0027s URL, and finally, the path part is used for redirection. This check seems robust, but it can still be bypassed by attackers.\n\n\u003cimg width=\"1606\" height=\"1346\" alt=\"QQ20260602-140205-2-2\" src=\"https://github.com/user-attachments/assets/83c549f3-38d7-444d-90f0-131d806f67ff\" /\u003e\n\nHere\u0027s the problem: Assuming the current website is `http://127.0.0.1:25222/`, if the attacker passes in a redirect URL of `http://127.0.0.1:25222//fushuling.com`, its host and schema are obviously the same as the current website, thus bypassing the verification. However, the issue lies in the final redirect URL, which is the path part of the URL, i.e., `//fushuling.com`. \n\nBrowsers automatically complete the HTTP header for URLs starting with `//`, ultimately successfully bypassing the restriction and redirecting to the external address `http://fushuling.com`.\n\nThis vulnerable behavior was successfully reproduced locally. Normally, specifying an external address directly will be blocked, so it will not redirect.\n\n\u003cimg width=\"1587\" height=\"717\" alt=\"QQ20260602-140756-2-3\" src=\"https://github.com/user-attachments/assets/51430c42-bd10-401b-9c9f-27a91a0bc648\" /\u003e\n\nHowever, if the redirect URL is `http://127.0.0.1:25222//fushuling.com`, the existing validation logic is bypassed, and the Location header is successfully set to `//fushuling.com`.\n\n```\nPOST /redirecttest/abc/frag HTTP/1.1\nHost: 127.0.0.1:25222\nReferer: http://127.0.0.1:25222//fushuling.com\nCache-Control: max-age=0\nsec-ch-ua: \"Not(A:Brand\";v=\"24\", \"Chromium\";v=\"122\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Windows\"\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n\n```\n\u003cimg width=\"1536\" height=\"729\" alt=\"QQ20260602-140925-2-4\" src=\"https://github.com/user-attachments/assets/31fde919-5f90-409f-8b14-af6c9c71761b\" /\u003e\n\nThe user was then successfully redirected to the external address `http://fushuling.com`.\n\n\u003cimg width=\"1692\" height=\"855\" alt=\"QQ20260602-141005-2-5\" src=\"https://github.com/user-attachments/assets/83b43ef6-52fa-4218-908b-7795394ae707\" /\u003e\n\n### PoC\n```\nhttp://127.0.0.1:25222//fushuling.com\n```\n\n### Impact\nOpen Redirect",
  "id": "GHSA-h5g6-xmh4-hc37",
  "modified": "2026-07-09T23:19:39Z",
  "published": "2026-07-09T23:19:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openrundev/openrun/security/advisories/GHSA-h5g6-xmh4-hc37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openrundev/openrun/commit/709da784fcf1311c85f30f3542cfa3601a78bbf0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openrundev/openrun"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openrundev/openrun/releases/tag/v0.17.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenRun: Redirect URL validation bypass using \u00a0//host\u00a0 paths leads to Open Redirect"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…