Kenkunz

**Name of the Vulnerable Software and Affected Versions** @workos/authkit-session versions prior to 0.5.1 **Description** An open redirect issue exists in the `handleCallback()` function of `AuthService` due to insufficient validation of the `returnPathname` value derived from the OAuth `state` parameter. The `state` parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The `handleCallback()` function decodes and returns `returnPathname` without enforcing restrictions on origin or scheme, allowing attacker-controlled values to be returned to the application. If this value is used directly in a redirect, users may be sent to an external, attacker-controlled site, which can facilitate phishing or social engineering attacks by leveraging the trust of the originating domain. **Recommendations** Update to version 0.5.1.