Jviding

**Name of the Vulnerable Software and Affected Versions** Okta OIDC Middleware versions prior to 5.0.0 **Description** An open redirect issue exists, allowing an attacker to redirect a user to an arbitrary URL. To exploit this, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker-controlled site. **Recommendations** For Okta OIDC Middleware versions prior to 5.0.0, upgrade to version 5.0.0 or later to remediate this issue.

**Name of the Vulnerable Software and Affected Versions** Express OpenID Connect versions prior to 2.7.2 **Description** The issue affects users of the `requiresAuth` middleware, either directly or through the default `authRequired` option, making them vulnerable to an Open Redirect when the middleware is applied to a catch-all route. If all routes under a domain are protected with the `requiresAuth` middleware, a visit to a URL like `http://example.com//google.com` will be redirected to `google.com` after login because the original URL reported by the Express framework is not properly sanitized. **Recommendations** For versions prior to 2.7.2, upgrade to version 2.7.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `requiresAuth` middleware on catch-all routes until the upgrade is applied.