CVE-2025-62379 (CNNVD-202510-2107)

LOW
中文标题:
Reflex 输入验证错误漏洞
英文标题:
Open Redirect in reflex-dev/reflex
CVSS分数: 3.1
发布时间: 2025-10-15 15:57:57
漏洞类型: 输入验证错误
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Reflex是Reflex开源的一个Web应用程序。 Reflex 0.5.4版本至0.8.14版本存在输入验证错误漏洞,该漏洞源于未验证redirect_to查询参数值,可能导致用户被重定向到任意外部URL。

英文描述:

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a GitHub Codespaces environment. This allows attackers to redirect users to arbitrary external URLs. The vulnerable route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. The same behavior can be activated in production if the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set. The vulnerability occurs because the code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains. The execution condition is based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place. This issue has been patched in version 0.8.15. As a workaround, users can ensure that GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in a production environment.

CWE类型:
CWE-601
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
reflex-dev reflex >= 0.5.4, < 0.8.15 - - cpe:2.3:a:reflex-dev:reflex:>=_0.5.4,_<_0.8.15:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/reflex-dev/reflex/security/advisories/GHSA-rfh5-c9h5-q8jm x_refsource_CONFIRM
cve.org
访问
https://github.com/reflex-dev/reflex/commit/ade12549f3c0ddab3d7382c581bc04a3c1f989ec x_refsource_MISC
cve.org
访问
CVSS评分详情
3.1 (cna)
LOW
3.1
CVSS向量: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
机密性
NONE
完整性
LOW
可用性
NONE
时间信息
发布时间:
2025-10-15 15:57:57
修改时间:
2025-10-15 17:18:15
创建时间:
2025-11-11 15:40:48
更新时间:
2025-11-11 16:00:17
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2025-62379 2025-11-11 15:23:33 2025-11-11 07:40:48
NVD nvd_CVE-2025-62379 2025-11-11 15:01:06 2025-11-11 07:48:35
CNNVD cnnvd_CNNVD-202510-2107 2025-11-11 15:12:59 2025-11-11 08:00:17
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 16:00:17
vulnerability_type: 未提取 → 输入验证错误; cnnvd_id: 未提取 → CNNVD-202510-2107; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 输入验证错误
  • cnnvd_id: 未提取 -> CNNVD-202510-2107
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:48:35
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']