CVE-2026-40255
@adonisjs/http-server has an Open Redirect vulnerability
描述
### Impact The `response.redirect().back()` method in `@adonisjs/http-server` is vulnerable to open redirects. The method reads the `Referer` header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the `Referer` header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use `response.redirect().back()` or `response.redirect('back')`. The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). ### Patches This has been fixed in `@adonisjs/http-server` version **8.2.0**. The `back()` method now validates the `Referer` header's host against the request's own `Host` header. Referrers from unrecognized hosts are rejected and the redirect falls back to `/` (or a developer-provided fallback URL). Applications that operate across multiple domains can configure additional trusted hosts via the `redirect.allowedHosts` option in `config/app.ts`. Users should upgrade to `@adonisjs/http-server@^8.2.0` (or `@adonisjs/core@^7.4.0` if using the core meta-package). ### Workarounds If upgrading is not immediately possible, avoid using `response.redirect().back()` in routes that are reachable by unauthenticated users or from pages that accept external traffic. Instead, redirect to a known safe path explicitly using `response.redirect().toPath('/dashboard')`. ### References - [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html) - [OWASP: Unvalidated Redirects and Forwards](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
如何修補 CVE-2026-40255
要修補 CVE-2026-40255,請將受影響套件升級到下列已修補版本。
- —升級至 7.3.1 或更新版本
- —升級至 8.2.0 或更新版本
CVE-2026-40255 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。