Apache Shiro
Moderate fix2 remedies
cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 2.0.0-alpha-0, <= 2.1.0
- >= 3.0.0-alpha-0, <= 3.0.0-alpha-1
Apache Shiro Jakarta EE Module Open Redirect and SSRF Vulnerability
Vulnerability
Patched
A vulnerability allowing URL redirection to untrusted sites (open redirect) and server-side request forgery (SSRF) has been identified in the Apache Shiro Jakarta EE integration module. This issue affects versions 2.0-alpha through 2.1.0 and 3.0.0-alpha-1. The vulnerability arises because the shiroSavedRequest cookie, used to redirect users after login, was not properly validated. As a result, an attacker could forge the cookie to have the server send an HTTP GET request to an arbitrary URL.
Impact
Exploitation of this vulnerability could lead to unauthorized redirection of users to untrusted sites and allow the server to make requests to potentially harmful URLs, which could be used to access internal resources or services.
Remediation
Users are advised to upgrade to Apache Shiro version 2.1.1 or 3.0.0-alpha-2 or later, both of which address the vulnerability by encrypting the shiroSavedRequest cookie.
Added: May 26, 2026, 6:25 PM
Updated: May 26, 2026, 6:25 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
0.2exploitability
3.3remediation
7.7relevance
9.4threat
0.0urgency
1.4incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.