CVE-2025-62379

Name of the Vulnerable Software and Affected Versions Reflex versions 0.5.4 through 0.8.14

Description Reflex is a library used to build full-stack web applications in Python. Versions 0.5.4 through 0.8.14 contain an issue in the /auth-codespace endpoint where the redirect to query parameter value is assigned directly to client-side links without validation. This can lead to automatic clicks and redirection of users to arbitrary external URLs when the application is running in a GitHub Codespaces environment. The vulnerability is triggered when the GITHUB CODESPACES PORT FORWARDING DOMAIN environment variable is set. The code assigns the redirect to query parameter to a.href without validation, triggering immediate navigation to an external domain. The execution depends on a sessionStorage flag, activating on first visits or in incognito mode.

Recommendations Update to version 0.8.15 or later. Ensure that the GITHUB CODESPACES PORT FORWARDING DOMAIN environment variable is not set in a production environment.