AdonisJS HTTP Server Open Redirect Vulnerability in Referer Header Handling

A vulnerability allowing open redirects has been identified in the AdonisJS HTTP Server package, specifically in versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3. Additionally, all AdonisJS applications using the response.redirect().back() method are affected. The issue arises because the back() method reads the Referer header without validating the host, allowing attackers to redirect users to malicious external sites. This vulnerability is present in all AdonisJS applications that utilize response.redirect().back() or response.redirect('back').

Impact

Exploitation of this vulnerability allows for open redirects, where users can be sent to untrusted external sites, potentially leading to phishing or other malicious activities.

Reproduction

To reproduce this vulnerability, use an AdonisJS application with an affected version of the HTTP Server package. Implement a route that uses the response.redirect().back() method. Then, send a request to this route with a crafted Referer header that points to an external site. The application will redirect to the URL specified in the Referer header, without any validation.

Remediation

Users should upgrade to @adonisjs/http-server version 8.2.0 or @adonisjs/core version 7.4.0. If an immediate upgrade is not possible, avoid using response.redirect().back() in routes accessible to unauthenticated users or from pages that receive external traffic. Instead, redirect to a known safe path using response.redirect().toPath('/dashboard').