Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
- Severity:
- Medium
Description
Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.5 >= 1.5.0-beta.0, < 1.5.6 < 1.4.6** Patched version(s): **1.6.0-beta.5 1.5.6 1.4.6**
References
Related Issues
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation - CVE-2026-26019
- Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration - CVE-2026-45715
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
You might also like:
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on May 11, 2026