Directus Open Redirect Vulnerability in Login Redirection Logic
Vulnerability
An open redirect vulnerability has been identified in Directus versions prior to 11.16.1. The issue arises in the login redirection process, where the 'isLoginRedirectAllowed' function improperly assesses certain malformed URLs as safe. This flaw enables attackers to circumvent redirect allow-list validation, redirecting users to arbitrary external domains after successful authentication. The vulnerability is particularly concerning in Single Sign-On (SSO) scenarios, such as with OAuth2 providers, where an attacker can manipulate a login URL to redirect a user to a malicious site immediately after authentication, without any warning during the login process.
Impact
Exploitation of this vulnerability could lead to open redirect behavior, allowing for phishing attacks, theft of OAuth tokens or authorization codes, and erosion of user trust in the application.
Remediation
Users can upgrade to Directus version 11.16.1 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.