Reflex Library Open Redirect Vulnerability in GitHub Codespaces

An open redirect vulnerability has been identified in the Reflex library, versions 0.5.4 prior to 0.8.15. The issue arises in the /auth-codespace endpoint, which, when accessed in a GitHub Codespaces environment, automatically redirects users to external URLs based on the redirect_to query parameter. This redirection occurs without validation and is triggered as soon as the page loads, taking advantage of the sessionStorage flag that indicates an authenticated GitHub Codespaces session. The vulnerability can also be replicated in production environments by setting the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN variable.

Impact

Exploitation of this vulnerability allows for open redirect scenarios, where users are sent to untrusted external sites, potentially leading to phishing attacks or disruption of authentication flows, especially in conjunction with OAuth or OIDC processes.

Reproduction

To reproduce this vulnerability, deploy a Reflex application version 0.5.4 through 0.8.14 in a GitHub Codespaces environment. Ensure that the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN variable is set, which can activate the vulnerable behavior in production. Once the application is running, access the /auth-codespace endpoint with a redirect_to parameter pointing to an external URL. The absence of validation will result in an immediate redirect to the specified URL.

Remediation

Users can update to Reflex version 0.8.15, where this vulnerability has been patched. In production environments, ensure that the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN variable is not set.