CVE-2026-47377
NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
描述
### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as `https://nocodb.example/#//attacker.com/phishing` silently redirected visitors to an attacker-controlled origin. ### Details In `packages/nc-gui/plugins/hashRedirect.client.ts`, the plugin extracted the hash content and normalised it into `cleanUrl`: ```ts let cleanUrl = hashPath.startsWith('/') ? hashPath : `/${hashPath}` if (hashQuery) cleanUrl += `?${hashQuery}` window.location.replace(cleanUrl) ``` `startsWith('/')` returns true for `//attacker.com/...`, which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early `if (/^\/[/\\]/.test(hashPath)) return` to reject protocol-relative paths. ### Impact - Open redirect from any NocoDB origin to an attacker-controlled domain. - No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login. ### Credit This issue was reported by [@fg0x0](https://github.com/fg0x0).
如何修補 CVE-2026-47377
要修補 CVE-2026-47377,請將受影響套件升級到下列已修補版本。
- —升級至 2026.04.1 或更新版本
CVE-2026-47377 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47377 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2026.04.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |