CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-43fc-v873-qw85: Waku has an Open Redirect via `unstable_redirect` Helper

lowCVSS 3.1CVE-2026-49456
Summary The unstable_redirect() helper exported from waku/router/server (packages/waku/src/router/define-router.tsx:156–161) accepts an arbitrary string and reflects it unchanged into the HTTP Location response header with no URL validation, scheme restriction, or path-only enforcement. Any application that passes user-controlled input to this helper — the natural pattern documented in the JSDoc and official fixtures — is vulnerable to open redirect attacks. An attacker who convinces a victim to click a crafted link can silently redirect the browser to an arbitrary external domain, enabling phishing, credential harvesting, and OAuth token theft. Additionally, scheme-relative URLs (//evil.example/) bypass naive https?://-only allow-list filters that developers might add as ad-hoc mitigations. Dynamic PoC confirmed against waku 1.0.0-beta.0 (commit 8e9f542) in an isolated Docker environment. Two independent dynamic runs produced identical results. Root Cause packages/waku/src/router/define-router.tsx:156–161: export function unstable_redirect( location: string, // only URL pathname is supported. status: 303 | 307 | 308 = 307, ): never { throw createCustomError('Redirect', { status, location }); } The JSDoc comment states "only URL pathname is supported", but this constraint is expressed as documentation only — the function performs no validation. The location value propagates via createCustomError (custom-errors.ts:22–26) into an error digest, is recovered by getErrorInfo in the request handler (handler.ts:79–89), and reflected directly into headers.location of the outgoing Response with no sanitization: if (info?.location) { headers.location = info.location; // handler.ts:87 — unvalidated reflection } return new Response(body, { status, headers }); Trigger (one-line summary) Any developer-supplied user input passed to unstable_redirect() is reflected unchanged into the HTTP Location header, enabling navigation to an attacker-controlled domain. Affected Entr

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low — CVSS 3.1
Published
2026-07-08
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-43fc-v873-qw85

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49456coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories