PT-2026-35307 — Open Redirect in Npm @Saltcorn/Server

PT-2026-35307 · Npm · @Saltcorn/Server

Published

2026-04-16

Updated

2026-04-16

CVSS v4.0

5.1

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (``) to forward slashes (/) for special schemes, a payload such as /evil.com/path slips through is relative url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL.

Details

Vulnerable function: packages/server/routes/utils.js:393-395

const is relative url = (url) => {
 return typeof url === "string" && !url.includes(":/") && !url.includes("//");
};

The function's intent is to allow only same-origin redirects, but the allow-list only checks for two literal substrings. It does not handle:

backslash characters, which WHATWG URL parsing (used by every modern browser) treats as forward slashes for the special schemes http, https, ftp, ws, wss. A URL parser fed /evil.com/path with a base of http://victim/ resolves to http://evil.com/path.
non-http(s): schemes that do not contain :/. The strings javascript:alert(1), data:text/html,..., vbscript:... all pass.

Vulnerable callsite: packages/server/auth/routes.js:1371-1376

} else if (
 (req.body || {}).dest &&
 is relative url(decodeURIComponent((req.body || {}).dest))
) {
 res.redirect(decodeURIComponent((req.body || {}).dest));
} else res.redirect("/");

The body's dest is URL-decoded twice (once by body-parser, once by the explicit decodeURIComponent) and the same value is passed to res.redirect. Express 5's res.redirect runs the value through encodeurl@2.0.0, whose whitelist character class [^x21x23-x3Bx3Dx3F-x5Fx61-x7Ax7Cx7E] includes x5C (backslash). The backslash is therefore not percent-encoded and ends up verbatim in the Location response header.

PoC

poc.zip

Please extract the uploaded compressed file before proceeding

./setup.sh
./poc.sh

Impact

Any user who can be lured into clicking a Saltcorn login URL crafted by the attacker will, after submitting their valid credentials, be redirected to an attacker-controlled origin. The redirect happens under the trusted Saltcorn domain, so the user has no visual cue that they are about to leave the site. Realistic abuse patterns:

Credential phishing — the attacker's site renders a forged "session expired, please log in again" prompt to capture the password the user just typed.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

GHSA-F3G8-9XV5-77GV

Affected Products

@Saltcorn/Server