The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39694

CVE-2024-39694: Duende IdentityServer Auth Bypass Flaw

CVE-2024-39694 is an authentication bypass vulnerability in Duende IdentityServer allowing attackers to craft malicious URLs treated as trusted, enabling phishing attacks. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated: January 22, 2026

CVE-2024-39694 Overview

CVE-2024-39694 is an Open Redirect vulnerability affecting Duende IdentityServer, an OpenID Connect and OAuth 2.x framework for ASP.NET Core. The vulnerability allows attackers to craft malicious URLs that certain functions in IdentityServer incorrectly treat as local and trusted. When such a URL is returned as a redirect, some browsers will follow it to a third-party, untrusted site.

Critical Impact

While this vulnerability does not directly allow attackers to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens, it can be exploited as part of a phishing attack designed to steal user credentials by redirecting users to malicious sites that impersonate legitimate login pages.

Affected Products

  • Duende.IdentityServer versions prior to 7.0.6
  • Duende.IdentityServer versions prior to 6.3.10
  • Duende.IdentityServer versions prior to 6.2.5
  • Duende.IdentityServer versions prior to 6.1.8
  • Duende.IdentityServer versions prior to 6.0.5
  • Duende.IdentityServer 5.1 and earlier (end-of-life)
  • All versions of IdentityServer4 (end-of-life)

Discovery Timeline

  • 2024-07-31 - CVE CVE-2024-39694 published to NVD
  • 2024-08-01 - Last updated in NVD database

Technical Details for CVE-2024-39694

Vulnerability Analysis

This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, commonly known as Open Redirect). The flaw exists in the URL validation logic within Duende IdentityServer's IsLocalUrl function, which is responsible for determining whether a given URL points to a local resource or an external site.

The vulnerable implementation failed to properly validate certain malformed URLs, allowing attackers to craft URLs that bypass the local URL check while still redirecting users to external, attacker-controlled domains. This is particularly dangerous in the context of an identity provider, where users inherently trust the authentication flow and may not notice subtle differences in redirect destinations.

The vulnerability can be exploited through network-based attacks requiring user interaction, where an attacker convinces a user to click on a specially crafted link that passes through the IdentityServer authentication flow.

Root Cause

The root cause lies in the IsLocalUrl extension method implemented in StringsExtensions.cs. The original implementation did not follow the robust URL validation approach used by ASP.NET Core's IUrlHelper.IsLocalUrl method. The fix involved aligning the IdentityServer implementation with the reference implementation from ASP.NET Core's UrlHelperBase.cs.

Attack Vector

An attacker exploits this vulnerability by:

  1. Crafting a malicious URL that the IsLocalUrl function incorrectly identifies as local
  2. Embedding this URL in a phishing email or malicious webpage
  3. When a user clicks the link and authenticates, IdentityServer redirects them to the attacker's site
  4. The attacker's site can then mimic the legitimate application to harvest credentials or session data
csharp
// Security patch from StringsExtensions.cs showing the fix
[DebuggerStepThrough]
public static bool IsLocalUrl(this string url)
{
    // This implementation is a copy of a https://github.com/dotnet/aspnetcore/blob/3f1acb59718cadf111a0a796681e3d3509bb3381/src/Mvc/Mvc.Core/src/Routing/UrlHelperBase.cs#L315
    // We originally copied that code to avoid a dependency, but we could potentially remove this entirely by switching to the Microsoft.NET.Sdk.Web sdk.
    if (string.IsNullOrEmpty(url))
    {
        return false;
    }
    // Additional validation logic follows...
}

Source: DuendeSoftware IdentityServer Commit

Detection Methods for CVE-2024-39694

Indicators of Compromise

  • Unusual redirect URLs in authentication request logs containing encoded or malformed URL schemes
  • User reports of landing on unexpected or suspicious websites after authentication
  • Authentication flow logs showing redirect_uri parameters pointing to external domains
  • Increased phishing reports from users who recently authenticated through IdentityServer

Detection Strategies

  • Review web application firewall (WAF) logs for suspicious redirect_uri parameters in OAuth/OIDC flows
  • Implement URL pattern matching rules to detect known open redirect payload patterns (e.g., //evil.com, \/\/evil.com, encoded variants)
  • Monitor authentication logs for redirect URLs that don't match your configured allowed redirect URIs
  • Deploy SentinelOne's Singularity Platform to detect and correlate suspicious network activity patterns associated with credential phishing campaigns

Monitoring Recommendations

  • Enable verbose logging for IdentityServer redirect processing to capture all redirect_uri values
  • Set up alerts for authentication requests with redirect URLs containing unusual characters or encoding
  • Monitor for POST-authentication traffic to domains outside your organization's trusted list
  • Implement real-time analysis of user session flows to detect redirect chain anomalies

How to Mitigate CVE-2024-39694

Immediate Actions Required

  • Upgrade Duende.IdentityServer to versions 7.0.6, 6.3.10, 6.2.5, 6.1.8, or 6.0.5 depending on your version branch
  • Review authentication logs for any signs of exploitation prior to patching
  • Audit your configured redirect URIs to ensure they follow strict whitelist policies
  • Notify users to be vigilant about unexpected redirects after authentication

Patch Information

Duende Software has released patched versions addressing this vulnerability. The fix aligns the internal IsLocalUrl implementation with ASP.NET Core's proven IUrlHelper.IsLocalUrl method. Security patches are available through the following commits:

  • Patch for version 7.0.x
  • Patch for version 6.3.x
  • Patch for version 6.2.x

For complete details, see the DuendeSoftware Security Advisory GHSA-ff4q-64jc-gx98.

Workarounds

  • If upgrading is not immediately possible, use IUrlHelper.IsLocalUrl from ASP.NET Core to validate return URLs in user interface code within the IdentityServer host
  • Implement a custom URL validation middleware that strictly validates all redirect URLs against a whitelist
  • Configure your reverse proxy or WAF to block requests with suspicious redirect_uri patterns
  • For end-of-life versions (Duende.IdentityServer 5.1 and earlier, IdentityServer4), plan immediate migration to supported versions
csharp
// Workaround: Use ASP.NET Core's IUrlHelper for URL validation
public class SecureRedirectValidator
{
    private readonly IUrlHelper _urlHelper;
    
    public SecureRedirectValidator(IUrlHelper urlHelper)
    {
        _urlHelper = urlHelper;
    }
    
    public bool IsValidLocalUrl(string url)
    {
        // Use ASP.NET Core's proven implementation
        return _urlHelper.IsLocalUrl(url);
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechDuende Identityserver
  • SeverityMEDIUM
  • CVSS Score4.7
  • EPSS Probability0.14%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-601
  • Technical References
  • DuendeSoftware IdentityServer Commit Update
  • DuendeSoftware IdentityServer Commit Update
  • DuendeSoftware IdentityServer Commit Update
  • DuendeSoftware IdentityServer Commit Update
  • DuendeSoftware IdentityServer Commit Update
  • DuendeSoftware Security Advisory GHSA-ff4q-64jc-gx98
  • Related CVEs
  • CVE-2026-4349: Duende IdentityServer Auth Bypass Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English