CVE-2024-42353 Overview
CVE-2024-42353 is an Open Redirect vulnerability affecting WebOb, a Python library that provides objects for HTTP requests and responses. The vulnerability exists in how WebOb normalizes the HTTP Location header when handling redirects. When WebOb joins a user-supplied URL with the base URL using Python's urlparse and urljoin functions, it fails to properly handle URLs starting with //, allowing attackers to redirect users to malicious external domains.
Critical Impact
Attackers can craft malicious URLs that exploit this parsing flaw to redirect users from trusted applications to attacker-controlled websites, enabling phishing attacks, credential theft, and other social engineering attacks.
Affected Products
- Pylonsproject WebOb versions prior to 1.8.8
Discovery Timeline
- August 14, 2024 - CVE-2024-42353 published to NVD
- August 19, 2024 - Last updated in NVD database
Technical Details for CVE-2024-42353
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site), commonly known as an Open Redirect. The flaw stems from WebOb's handling of the HTTP Location header during URL normalization. When a redirect URL begins with //, Python's urlparse interprets this as a scheme-relative URL and treats the subsequent portion as the hostname. When urljoin then combines this with the original request URI, it replaces the legitimate hostname with the attacker-controlled hostname from the malicious URL.
The vulnerability requires user interaction, as the victim must click on or be directed to a crafted URL. However, since the initial domain appears legitimate, users are more likely to trust and follow such links. This is particularly dangerous in applications that handle authentication flows or password reset functionality.
Root Cause
The root cause lies in the insufficient validation of URL inputs before processing them with Python's URL parsing utilities. The urlparse function interprets a string starting with // as a protocol-relative URL, extracting everything after // up to the next / as the hostname. When urljoin merges this parsed URL with the request base URL, it uses the extracted hostname from the user input rather than the original request hostname, resulting in an open redirect condition.
Attack Vector
An attacker can exploit this vulnerability by crafting a URL that starts with // followed by a malicious domain. When a victim visits a vulnerable application endpoint that performs a redirect using WebOb's Location header normalization, they will be redirected to the attacker's domain instead of the intended destination. This can be leveraged for phishing attacks, session token theft via the Referer header, or bypassing security controls that rely on same-origin policies.
# Security patch from WebOb response.py
# Source: https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
if SCHEME_RE.search(value):
return value
+ # This is to fix an open redirect issue due to the way that
+ # urlparse.urljoin works. See CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ if value.startswith("//"):
+ value = "/%2f{}".format(value[2:])
new_location = urlparse.urljoin(_request_uri(environ), value)
return new_location
Detection Methods for CVE-2024-42353
Indicators of Compromise
- HTTP redirect responses (3xx status codes) with Location headers pointing to external domains unexpectedly
- Web application logs showing redirect URLs beginning with // followed by external hostnames
- User reports of being redirected to unfamiliar or suspicious websites after clicking internal application links
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing URL patterns with // prefixes in redirect parameters
- Review application logs for anomalous redirect patterns, particularly those involving external domains
- Conduct code reviews to identify uses of WebOb's redirect functionality with untrusted user input
- Use static application security testing (SAST) tools to scan Python codebases for vulnerable WebOb versions
Monitoring Recommendations
- Monitor HTTP response headers for unexpected external domain redirects in Location headers
- Implement alerting on redirect chains that terminate at domains outside your organization's control
- Track WebOb library versions across your application portfolio using software composition analysis (SCA) tools
How to Mitigate CVE-2024-42353
Immediate Actions Required
- Upgrade WebOb to version 1.8.8 or later, which contains the security patch
- Audit all applications using WebOb to identify potentially vulnerable deployments
- Implement input validation to sanitize redirect URLs before passing them to WebOb
- Review and test all redirect functionality in applications using WebOb
Patch Information
The vulnerability is patched in WebOb version 1.8.8. The fix adds explicit handling for URLs starting with // by URL-encoding the second slash, preventing the hostname substitution attack. The patch can be reviewed in the GitHub commit and full details are available in the GitHub Security Advisory.
Workarounds
- Implement application-level validation to reject or sanitize redirect URLs starting with // before they reach WebOb
- Use an allowlist approach for redirect destinations, only permitting redirects to known trusted domains
- Deploy a web application firewall (WAF) rule to filter requests containing suspicious redirect patterns
# Configuration example
# Upgrade WebOb to patched version using pip
pip install --upgrade webob>=1.8.8
# Verify installed version
pip show webob | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
