PT-2025-45782 · Pypi · Datasette

Published

2025-11-06

·

Updated

2025-11-06

CVSS v4.0

2.7

Low

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Impact

Deployed instances of Datasette prior to 0.65.2 and 1.0a21 include an open redirect vulnerability.
Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar.

Patches

This problem has been patched in both Datasette 0.65.2 and 1.0a21.

Workarounds

If Datasette is running behind a proxy that proxy could be configured to replace // with / in incoming request URLs.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

GHSA-W832-GG5G-X44M

Affected Products

Datasette