Executive Summary

CVE-2026-25477 is an Open Redirect vulnerability found in AFFiNE versions 0.25.7 and earlier, specifically at the /redirect-proxy endpoint.

The flaw is caused by improper domain validation logic that uses an incorrectly anchored regular expression to whitelist trusted domains. This regex allows attackers to bypass the whitelist by registering malicious domains that end with a trusted domain string.

For example, the regex pattern .?t.me$ matches affineredirect.me, which should not be trusted, allowing redirection to attacker-controlled sites.

This vulnerability enables attackers to redirect users to malicious sites, potentially leading to phishing attacks and theft of sensitive user credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by allowing attackers to redirect them to malicious websites while leveraging the reputation of the legitimate AFFiNE domain.

Such redirections can be used for phishing attacks, where users may be tricked into providing sensitive information like login credentials.

It also affects self-hosted AFFiNE instances, increasing the risk of compromise in those environments.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying requests to the `/redirect-proxy` endpoint that include a `redirect_uri` parameter pointing to domains that bypass the whitelist due to the flawed regex.'}, {'type': 'paragraph', 'content': 'You can monitor network traffic or logs for URLs matching the pattern: `/redirect-proxy?redirect_uri=` followed by suspicious domains that end with trusted domain strings but are attacker-controlled (e.g., domains like `affineredirect.me` that end with `t.me`).'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find suspicious redirect attempts: `grep "/redirect-proxy?redirect_uri=" /path/to/access.log | grep -E "affineredirect\\.me|other-malicious-domain"`'}, {'type': 'list_item', 'content': 'Using curl to test the vulnerable endpoint with a crafted URL: `curl -I "https://app.affine.pro/redirect-proxy?redirect_uri=http%3A%2F%2Faffineredirect.me%2Fsign-in"` and observe if it redirects.'}, {'type': 'list_item', 'content': 'Using a regex search in code or logs to find improperly anchored domain validation patterns or suspicious redirect URIs.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating AFFiNE to version 0.26.0 or later, where the vulnerability has been patched.

If updating is not immediately possible, apply a stricter domain validation by replacing the flawed regex with a properly anchored and escaped regex pattern to correctly whitelist trusted domains.

As a short-term fix, modify the validation logic to use a pattern like: `new RegExp(`(^|\.)${escapeRegExp(domain)}$`).test(target.hostname)` to prevent bypasses.

Long-term mitigation includes removing the `/redirect-proxy` endpoint entirely if it is not critical to your application, thereby eliminating the attack surface.

Useful 0 Not Useful 0