Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-28370

CVE-2023-28370: Tornadoweb Tornado Open Redirect Flaw

CVE-2023-28370 is an open redirect vulnerability in Tornadoweb Tornado versions 6.3.1 and earlier that enables phishing attacks. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2023-28370 Overview

CVE-2023-28370 is an open redirect vulnerability affecting Tornado, the popular Python web framework and asynchronous networking library. This vulnerability allows a remote unauthenticated attacker to redirect users to arbitrary external websites by crafting malicious URLs. When successfully exploited, attackers can leverage this flaw to conduct sophisticated phishing attacks, potentially compromising user credentials and sensitive information.

Critical Impact

Remote attackers can redirect users to malicious websites without authentication, enabling phishing attacks and credential theft through trusted application URLs.

Affected Products

  • Tornadoweb Tornado versions 6.3.1 and earlier
  • All Tornado deployments using default URL handling configurations
  • Applications built on Tornado that process user-controlled redirect URLs

Discovery Timeline

  • 2023-05-25 - CVE-2023-28370 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2023-28370

Vulnerability Analysis

This open redirect vulnerability (CWE-601) exists in Tornado's URL handling mechanism. Open redirects occur when web applications accept user-controlled input that specifies a link to an external site, and use that input in a redirect without proper validation. In Tornado versions 6.3.1 and earlier, the framework fails to adequately validate redirect destinations, allowing attackers to craft URLs that appear to originate from a legitimate Tornado-based application but ultimately redirect users to attacker-controlled domains.

The network-based attack vector means exploitation can occur remotely without any prior authentication. However, successful exploitation requires user interaction—specifically, a victim must click on or otherwise access the specially crafted malicious URL. This makes the vulnerability particularly effective in phishing campaigns where attackers distribute links through email, social media, or other communication channels.

Root Cause

The root cause of CVE-2023-28370 lies in insufficient validation of redirect URLs within Tornado's request handling logic. When processing redirect responses, the framework does not properly sanitize or validate the destination URL parameter, allowing external URLs to be injected. This enables attackers to abuse the trust users place in the legitimate domain to redirect them to malicious destinations without warning.

Attack Vector

Exploitation of this vulnerability follows a straightforward pattern. An attacker constructs a URL pointing to the vulnerable Tornado application with a specially crafted redirect parameter containing a malicious external URL. When a user clicks this link, they initially connect to the legitimate Tornado application, which then redirects them to the attacker's site. Because the initial URL appears to be from a trusted source, users are more likely to trust the subsequent redirect destination, making this technique highly effective for phishing and credential harvesting attacks.

The vulnerability is exploited through specially crafted URLs that abuse the redirect functionality. The malicious URL leverages the trusted domain of the Tornado application to redirect victims to attacker-controlled sites. Technical details and proof-of-concept information can be found in the JVN Security Advisory JVN45127776.

Detection Methods for CVE-2023-28370

Indicators of Compromise

  • Unusual redirect patterns in web server access logs pointing to external domains
  • HTTP 302/301 redirect responses containing suspicious or unfamiliar destination URLs
  • User reports of unexpected redirects when accessing application URLs
  • Referrer headers showing traffic originating from legitimate application URLs but landing on external sites

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block redirect attempts to external domains
  • Monitor HTTP response headers for redirect status codes with external URL destinations
  • Deploy URL inspection on outbound requests to identify potential redirect abuse
  • Configure intrusion detection systems to alert on patterns matching open redirect exploitation

Monitoring Recommendations

  • Enable detailed access logging on Tornado applications to capture redirect destinations
  • Set up alerts for redirect responses containing URLs outside your organization's domain whitelist
  • Implement real-time log analysis to detect spikes in redirect activity or unusual redirect patterns
  • Monitor for user complaints or reports of phishing attempts leveraging your application's URLs

How to Mitigate CVE-2023-28370

Immediate Actions Required

  • Upgrade Tornado to version 6.3.2 or later immediately
  • Audit application code for any custom redirect implementations that may be vulnerable
  • Implement URL validation to restrict redirects to trusted domains only
  • Review and update web application firewall rules to block malicious redirect attempts

Patch Information

The Tornado development team has addressed this vulnerability in version 6.3.2. Organizations should upgrade to this version or later to remediate the open redirect vulnerability. The fix implements proper validation of redirect URLs to prevent redirection to arbitrary external sites.

For more information, see the GitHub Tornado Release v6.3.2. Debian users should also review the Debian LTS Announcement for distribution-specific updates.

Workarounds

  • Implement application-level URL validation to whitelist allowed redirect destinations
  • Configure reverse proxy or WAF rules to strip or validate redirect parameters before they reach the application
  • Disable or remove redirect functionality if not required for application operations
  • Add confirmation pages for external redirects requiring explicit user acknowledgment
bash
# Example: Upgrade Tornado using pip
pip install --upgrade tornado>=6.3.2

# Verify installed version
pip show tornado | grep Version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.