WorkOS AuthKit Session Open Redirect Vulnerability in OAuth Callback Handling

A moderate open redirect vulnerability has been identified in the WorkOS AuthKit Session toolkit, prior to version 0.5.1. The issue arises in the AuthService.handleCallback function, where the returnPathname value, derived from the OAuth state parameter, is insufficiently validated. This state parameter can be manipulated by attackers and is passed through the identity provider. The lack of restrictions on origin or scheme allows attacker-controlled URLs to be returned to the application. If these URLs are used directly for redirection, it could lead to users being sent to external, malicious sites, potentially facilitating phishing attacks.

Impact

Exploitation of this vulnerability could result in open redirect behavior, allowing attackers to redirect users to external sites of their choice. This could be used in conjunction with social engineering tactics to create phishing scenarios.

Reproduction

To reproduce this vulnerability, initiate an OAuth flow that includes a state parameter. Once the callback is received, the returnPathname value can be manipulated to include an attacker-controlled URL, such as 'https://evil.com/' or similar variants. If the application does not validate or restrict this URL before using it as a redirect target, the user will be sent to the specified external site.

Remediation

Users can update to WorkOS AuthKit Session version 0.5.1 or later, where this vulnerability has been fixed.