CVE-2025-62379
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| reflex-dev | reflex | 0.8.14 |
| reflex-dev | reflex | 0.5.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an open redirect issue in the Reflex library's /auth-codespace endpoint when used in GitHub Codespaces environments. The endpoint takes the redirect_to query parameter and assigns it directly to a client-side link's href attribute without any validation, then automatically triggers a click to redirect the user. This allows attackers to redirect users to arbitrary external URLs immediately upon page load, potentially leading users to malicious sites. The vulnerable route is only active when a Codespaces environment is detected via environment variables, but can be activated in production if a specific environment variable is set. The issue arises because there is no server-side validation or whitelist to restrict redirect destinations. [2]
How can this vulnerability impact me? :
This vulnerability can be exploited to redirect users from a trusted domain to malicious external sites, enabling phishing and social engineering attacks. Attackers can use it to spoof login pages, steal credentials, or distribute malware. It can also disrupt authentication and session flows, potentially escalating security incidents especially when combined with OAuth or OIDC redirect-based authentication flows. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the environment variable GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is set in your production environment, as its presence activates the vulnerable /auth-codespace route. Additionally, you can test if the /auth-codespace endpoint is accessible and if it redirects automatically based on the redirect_to query parameter. For example, you can use curl to send a request and observe the response or redirection behavior: curl -v 'https://yourserver/auth-codespace?redirect_to=http://example.com'. Also, verify the environment variable with a command like: echo $GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN or in Python: python -c 'import os; print(os.getenv("GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN"))'. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to ensure that the environment variable GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in any production environment, as this disables the vulnerable /auth-codespace route. Additionally, upgrade Reflex to version 0.8.15 or later, where the vulnerability has been patched. [2]