CVE-2025-64481
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-07

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
Datasette is an open source multi-tool for exploring and publishing data. In versions 0.65.1 and below and 1.0a0 through 1.0a19, deployed instances of Datasette include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar. This problem has been patched in both Datasette 0.65.2 and 1.0a21. To workaround this issue, if Datasette is running behind a proxy, that proxy could be configured to replace // with / in incoming request URLs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-07
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64481
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
simonw datasette 0.65.2
simonw datasette 1.0a0
simonw datasette 1.0a21
simonw datasette 1.0a19
simonw datasette 0.65.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an open redirect issue in Datasette versions 0.65.1 and below and 1.0a0 through 1.0a19. When a user accesses a URL path with a double slash (//) followed by a trailing slash, the application redirects the user to a URL with a single slash, potentially redirecting them to unintended locations. This behavior can be exploited to redirect users to malicious sites. The issue has been fixed in Datasette versions 0.65.2 and 1.0a21.

Impact Analysis

The open redirect vulnerability can be exploited by attackers to redirect users to malicious websites, potentially leading to phishing attacks or other social engineering exploits. While the CVSS score is 0.0 indicating no direct impact on confidentiality, integrity, or availability, the vulnerability can still be used to trick users and compromise their trust.

Detection Guidance

You can detect this vulnerability by checking if your Datasette instance redirects requests with double slashes (//) in the path to a single slash URL. For example, sending a request to a path like //example.com/foo/bar/ and observing if it redirects to https://example.com/foo/bar indicates the presence of the vulnerability. A simple command to test this could be using curl: curl -I http://your-datasette-instance//foo/bar/ and checking the Location header in the response.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Datasette to version 0.65.2 or later, or 1.0a21 or later where the issue is patched. If upgrading is not possible immediately, configure the proxy in front of Datasette to replace double slashes (//) with a single slash (/) in incoming request URLs to prevent the open redirect behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart