CVE-2026-25198
Open Redirect Vulnerability in web2py Enables Phishing Attacks
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| web2py | web2py | to 2.27.1-stable+timestamp.2023.11.16.08.03.57 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25198 is an open redirect vulnerability found in web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and earlier. This vulnerability allows an attacker to craft a specially designed URL that causes users to be redirected to arbitrary external websites when they access it.
The issue arises because the URL redirection mechanism in web2py does not properly validate or sanitize the redirect URLs, especially those passed via parameters like `_next`. This can lead to users being unknowingly redirected to malicious sites.
The vulnerability was addressed by improving the URL validation logic in the `prevent_open_redirect` function, which now checks the host, scheme, and path structure of redirect URLs more strictly to block malformed or suspicious URLs.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause users of a web2py-based application to be redirected to arbitrary external websites without their consent.
This can lead to phishing attacks where users are tricked into visiting malicious sites that may steal sensitive information, credentials, or install malware.
Because the redirect is triggered by a crafted URL, attackers can lure users into clicking on seemingly legitimate links that actually redirect them to harmful destinations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an open redirect via the _next parameter or similar URL redirection mechanisms in web2py versions 2.27.1 and prior. Detection involves identifying requests containing suspicious or crafted URLs that redirect users to external arbitrary websites.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor web server logs for requests containing the _next parameter or other redirect parameters with external URLs.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search for suspicious redirect parameters in access logs, for example: grep '_next=http' /path/to/access.log"}, {'type': 'list_item', 'content': 'Look for URLs where the _next parameter points to external domains, which may indicate attempts to exploit the open redirect.'}, {'type': 'list_item', 'content': 'You can also use network monitoring tools or intrusion detection systems to flag HTTP requests with redirect parameters containing external URLs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update web2py to the latest version where the open redirect vulnerability has been fixed.
The fix involves improved validation and sanitization of redirect URLs in the prevent_open_redirect function, preventing attackers from redirecting users to arbitrary external sites.
If immediate updating is not possible, consider implementing additional input validation on redirect parameters at your application or web server level to block suspicious or external URLs.
Monitor and audit logs for suspicious redirect attempts and inform users about potential phishing risks until the patch is applied.