CVE-2026-25477
Open Redirect in AFFiNE /redirect-proxy Enables Phishing
Publication date: 2026-03-02
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| affine | affine | to 0.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25477 is an Open Redirect vulnerability found in AFFiNE versions 0.25.7 and earlier, specifically at the /redirect-proxy endpoint.
The flaw is caused by improper domain validation logic that uses an incorrectly anchored regular expression to whitelist trusted domains. This regex allows attackers to bypass the whitelist by registering malicious domains that end with a trusted domain string.
For example, the regex pattern .?t.me$ matches affineredirect.me, which should not be trusted, allowing redirection to attacker-controlled sites.
This vulnerability enables attackers to redirect users to malicious sites, potentially leading to phishing attacks and theft of sensitive user credentials.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to redirect them to malicious websites while leveraging the reputation of the legitimate AFFiNE domain.
Such redirections can be used for phishing attacks, where users may be tricked into providing sensitive information like login credentials.
It also affects self-hosted AFFiNE instances, increasing the risk of compromise in those environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying requests to the `/redirect-proxy` endpoint that include a `redirect_uri` parameter pointing to domains that bypass the whitelist due to the flawed regex.'}, {'type': 'paragraph', 'content': 'You can monitor network traffic or logs for URLs matching the pattern: `/redirect-proxy?redirect_uri=` followed by suspicious domains that end with trusted domain strings but are attacker-controlled (e.g., domains like `affineredirect.me` that end with `t.me`).'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find suspicious redirect attempts: `grep "/redirect-proxy?redirect_uri=" /path/to/access.log | grep -E "affineredirect\\.me|other-malicious-domain"`'}, {'type': 'list_item', 'content': 'Using curl to test the vulnerable endpoint with a crafted URL: `curl -I "https://app.affine.pro/redirect-proxy?redirect_uri=http%3A%2F%2Faffineredirect.me%2Fsign-in"` and observe if it redirects.'}, {'type': 'list_item', 'content': 'Using a regex search in code or logs to find improperly anchored domain validation patterns or suspicious redirect URIs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating AFFiNE to version 0.26.0 or later, where the vulnerability has been patched.
If updating is not immediately possible, apply a stricter domain validation by replacing the flawed regex with a properly anchored and escaped regex pattern to correctly whitelist trusted domains.
As a short-term fix, modify the validation logic to use a pattern like: `new RegExp(`(^|\.)${escapeRegExp(domain)}$`).test(target.hostname)` to prevent bypasses.
Long-term mitigation includes removing the `/redirect-proxy` endpoint entirely if it is not critical to your application, thereby eliminating the attack surface.