CVE-2024-39694 Overview
CVE-2024-39694 is an open redirect vulnerability [CWE-601] in Duende IdentityServer, an OpenID Connect and OAuth 2.x framework for ASP.NET Core. Attackers can craft malicious URLs that certain functions in IdentityServer incorrectly classify as local and trusted. When IdentityServer returns such a URL as a redirect, some browsers will follow it to a third-party, untrusted site. The flaw does not directly expose user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. However, attackers can chain it into phishing campaigns to harvest user credentials by abusing the trust of the IdentityServer host domain. The vulnerability is fixed in versions 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5.
Critical Impact
Attackers can leverage trusted IdentityServer URLs to redirect authenticated user flows to attacker-controlled sites, enabling targeted credential phishing campaigns.
Affected Products
- Duende IdentityServer versions prior to 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5
- Duende.IdentityServer 5.1 and earlier (no longer supported)
- All versions of IdentityServer4 (no longer supported)
Discovery Timeline
- 2024-07-31 - CVE-2024-39694 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-39694
Vulnerability Analysis
The vulnerability resides in the IsLocalUrl extension method within Duende IdentityServer's string utility helpers. This function determines whether a URL passed as a return URL parameter points to the same IdentityServer host. The pre-patch implementation diverged from the canonical ASP.NET Core IUrlHelper.IsLocalUrl logic, allowing certain malformed URLs to be classified as local. Attackers can craft a return URL that bypasses these checks while still triggering an HTTP redirect to an external domain.
Because IdentityServer commonly handles login, logout, and consent flows that accept user-supplied return URLs, the vulnerable validation routine affects authentication endpoints exposed to the public internet. A successful redirect places the victim on an attacker-controlled site that visually mimics the legitimate IdentityServer login page, enabling credential harvesting.
Root Cause
The root cause is improper URL validation [CWE-601]. The internal IsLocalUrl implementation was originally copied from ASP.NET Core to avoid an external dependency but drifted from the upstream behavior. The patch realigns IdentityServer's local URL validation with the current ASP.NET Core reference implementation.
Attack Vector
Exploitation requires network access to the IdentityServer endpoint and user interaction, typically a victim clicking a crafted link. The attacker delivers a URL of the form https://identityserver.example.com/account/login?returnUrl=<crafted-payload> via email, chat, or a malicious web page. After authentication, IdentityServer issues a redirect to the attacker-controlled location.
The patch replaces the divergent helper with the canonical ASP.NET Core implementation:
[DebuggerStepThrough]
public static bool IsLocalUrl(this string url)
{
+ // This implementation is a copy of
+ // https://github.com/dotnet/aspnetcore/blob/3f1acb59718cadf111a0a796681e3d3509bb3381/src/Mvc/Mvc.Core/src/Routing/UrlHelperBase.cs#L315
+ // We originally copied that code to avoid a dependency, but we could
+ // potentially remove this entirely by switching to the Microsoft.NET.Sdk.Web sdk.
if (string.IsNullOrEmpty(url))
{
return false;
Source: DuendeSoftware IdentityServer commit 269ca21
Detection Methods for CVE-2024-39694
Indicators of Compromise
- HTTP 302 responses from IdentityServer endpoints (/account/login, /connect/authorize, /account/logout) with Location headers pointing to external domains
- Login or logout requests containing returnUrl or redirect_uri parameters with unusual encodings, backslashes, or protocol-relative prefixes such as //attacker.tld
- Referrer logs showing user traffic flowing from IdentityServer hosts to unfamiliar third-party domains shortly after authentication
Detection Strategies
- Inspect web server and reverse proxy logs for return URL parameters that fail strict allow-list validation against the IdentityServer host
- Compare deployed Duende IdentityServer assembly versions against the patched releases (7.0.6, 6.3.10, 6.2.5, 6.1.8, 6.0.5) during routine asset inventories
- Correlate authentication events with downstream DNS or proxy queries to newly observed external domains to surface phishing pivots
Monitoring Recommendations
- Alert when returnUrl values contain characters such as \, @, or double slashes that commonly bypass URL parsers
- Enable WAF rules to inspect query strings on IdentityServer endpoints for suspicious redirect payloads
- Monitor user reports of credential prompts appearing on unexpected domains following IdentityServer interactions
How to Mitigate CVE-2024-39694
Immediate Actions Required
- Upgrade Duende IdentityServer to a patched version: 7.0.6, 6.3.10, 6.2.5, 6.1.8, or 6.0.5
- Audit any custom UI code in the IdentityServer host that processes return URLs to ensure it uses IUrlHelper.IsLocalUrl from ASP.NET Core
- Migrate off unsupported Duende.IdentityServer 5.1 and earlier or any IdentityServer4 deployment because these will not receive fixes
Patch Information
Duende Software resolved the issue by aligning the internal IsLocalUrl helper with the current ASP.NET Core implementation. Refer to the DuendeSoftware Security Advisory GHSA-ff4q-64jc-gx98 for full advisory details and the related commits 269ca21, 765116a, d0d8eab, f04cf0b, and fe817b4.
Workarounds
- If upgrading is not immediately possible, replace calls to the vulnerable extension method with IUrlHelper.IsLocalUrl from ASP.NET Core inside IdentityServer UI code
- Enforce a strict allow-list of permitted return URL hosts for login, logout, and consent flows
- Reject return URL values that contain backslashes, encoded slashes, @ characters, or protocol prefixes before passing them to redirect helpers
# Example: update Duende IdentityServer package to a patched version
dotnet add package Duende.IdentityServer --version 7.0.6
dotnet restore
dotnet build --configuration Release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
