Skip to content
← Back to Vulnerability Database
MEDIUMCWE-601Input Validation

Open Redirect Vulnerability

Description

Your app accepts a redirect URL parameter and forwards users to it without validation, enabling phishing attacks.

How Vezraa Detects It

We probe your app for common redirect parameters (?redirect=, ?next=, ?url=) and test if they redirect to external domains.

Real-World Impact

Attackers use your trusted domain to redirect users to phishing sites, making malicious URLs appear legitimate.

Fix Example

// BAD — open redirect
res.redirect(req.query.redirect);

// GOOD — validate
const allowed = ['/dashboard', '/settings'];
if (!allowed.includes(req.query.redirect)) {
  res.redirect('/dashboard');
}

Affected Stacks

Next.jsExpressAll backends

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Open Redirect Vulnerability — Vulnerability Database | Vezraa