Pocket ID OIDC Provider Callback URL Validation Bypass Vulnerability

A callback URL validation bypass vulnerability has been identified in Pocket ID, an OpenID Connect (OIDC) provider, in versions 2.0.0 prior to 2.4.0. The flaw allows crafted redirect_uri values containing URL userinfo (represented by '@') to bypass legitimate callback pattern checks. This could enable an attacker to redirect an authorization code to an attacker-controlled host, provided they can trick a user into opening a malicious authorization link.

Impact

Exploitation of this vulnerability could lead to unauthorized redirection of authorization codes to attacker-controlled hosts, potentially allowing for unauthorized access to user accounts or services.

Reproduction

The vulnerability can be reproduced by sending an authorization request with a redirect_uri that includes URL userinfo (the '@' symbol) to a Pocket ID OIDC provider instance running a vulnerable version. If the user is tricked into clicking the authorization link, the authorization code will be redirected to the attacker's specified host, bypassing normal validation checks.

Remediation

Users can update to Pocket ID version 2.4.0, where this vulnerability has been fixed. For those unable to update, it is recommended to reject callback URLs containing userinfo '@' at the reverse proxy or application policy level, if feasible.