CVE-2025-64716
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-11-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anubis | anubis | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Anubis Web AI Firewall Utility occurs because, prior to version 1.23.0, when using subrequest authentication, the software did not validate the redirect URL properly. This allowed redirects to any URL scheme, including potentially dangerous ones like 'javascript:'. Although most modern browsers block such redirects, in some cases this could still trigger harmful behavior. The issue was fixed in version 1.23.0.
How can this vulnerability impact me? :
If you use Anubis with subrequest authentication, this vulnerability could allow an attacker to redirect users to malicious URLs, potentially leading to security risks such as executing harmful scripts or phishing attacks. This could compromise user security and trust.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Anubis to version 1.23.0 or later, as this version contains a fix that properly validates redirect URLs in subrequest authentication to prevent unsafe redirects.