PT-2026-35307 — Open Redirect em Npm @Saltcorn/Server

PT-2026-35307 · Npm · @Saltcorn/Server

Publicado

2026-04-16

Atualizado

2026-04-16

CVSS v4.0

5.1

Média

Vetor

AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (``) to forward slashes (/) for special schemes, a payload such as /evil.com/path slips through is relative url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL.

Details

Vulnerable function: packages/server/routes/utils.js:393-395

const is relative url = (url) => {
 return typeof url === "string" && !url.includes(":/") && !url.includes("//");
};

The function's intent is to allow only same-origin redirects, but the allow-list only checks for two literal substrings. It does not handle:

backslash characters, which WHATWG URL parsing (used by every modern browser) treats as forward slashes for the special schemes http, https, ftp, ws, wss. A URL parser fed /evil.com/path with a base of http://victim/ resolves to http://evil.com/path.
non-http(s): schemes that do not contain :/. The strings javascript:alert(1), data:text/html,..., vbscript:... all pass.

Vulnerable callsite: packages/server/auth/routes.js:1371-1376

} else if (
 (req.body || {}).dest &&
 is relative url(decodeURIComponent((req.body || {}).dest))
) {
 res.redirect(decodeURIComponent((req.body || {}).dest));
} else res.redirect("/");

The body's dest is URL-decoded twice (once by body-parser, once by the explicit decodeURIComponent) and the same value is passed to res.redirect. Express 5's res.redirect runs the value through encodeurl@2.0.0, whose whitelist character class [^x21x23-x3Bx3Dx3F-x5Fx61-x7Ax7Cx7E] includes x5C (backslash). The backslash is therefore not percent-encoded and ends up verbatim in the Location response header.

PoC

poc.zip

Please extract the uploaded compressed file before proceeding

./setup.sh
./poc.sh

Impact

Any user who can be lured into clicking a Saltcorn login URL crafted by the attacker will, after submitting their valid credentials, be redirected to an attacker-controlled origin. The redirect happens under the trusted Saltcorn domain, so the user has no visual cue that they are about to leave the site. Realistic abuse patterns:

Credential phishing — the attacker's site renders a forged "session expired, please log in again" prompt to capture the password the user just typed.

Correção

Open Redirect

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-601

Identificadores relacionados

GHSA-F3G8-9XV5-77GV

Produtos afetados

@Saltcorn/Server