GHSA-X7QQ-M748-8P2C

Vulnerability from github – Published: 2026-06-30 18:31 – Updated: 2026-06-30 18:31
VLAI
Summary
Probo has an open redirect bypass via path normalization
Details

Impact

Probo's saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go's http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.

Patches

Fixed in go.probo.inc/probo by normalizing relative paths with path.Clean before validation, rejecting backslashes (including percent-encoded %5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.

Self-hosted deployments should upgrade to probod v0.194.1 or later.

SaaS deployments on getprobo.com are patched.

Workarounds

No practical workaround for self-hosted installations. Upgrade to the patched release.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.probo.inc/probo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.204.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T18:31:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nProbo\u0027s `saferedirect` package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like `/../\\evil.com` passed validation because the second character is `.`. Go\u0027s `http.Redirect` normalizes this path to `/\\evil.com` before setting the `Location` header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (`https://evil.com`), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a `continue` parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.\n\n### Patches\nFixed in `go.probo.inc/probo` by normalizing relative paths with `path.Clean` before validation, rejecting backslashes (including\npercent-encoded `%5c`) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.\n\nSelf-hosted deployments should upgrade to **probod v0.194.1** or later.\n\nSaaS deployments on getprobo.com are patched.\n\n### Workarounds\nNo practical workaround for self-hosted installations. Upgrade to the patched release.",
  "id": "GHSA-x7qq-m748-8p2c",
  "modified": "2026-06-30T18:31:50Z",
  "published": "2026-06-30T18:31:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getprobo/probo/security/advisories/GHSA-x7qq-m748-8p2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getprobo/probo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getprobo/probo/blob/main/SECURITY_NOTES.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Probo has an open redirect bypass via path normalization"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…