CVE-2026-42565 Overview
CVE-2026-42565 is an open redirect vulnerability [CWE-601] in @workos/authkit-session, a toolkit for building WorkOS AuthKit framework integrations. The flaw resides in the AuthService.handleCallback function, which fails to validate the returnPathname value derived from the OAuth state parameter. Because the state parameter round-trips through the identity provider (IdP), an attacker can influence its contents. When the application uses the decoded returnPathname directly in a redirect, users can be sent to attacker-controlled external sites. The vulnerability affects versions prior to 0.5.1 and is fixed in 0.5.1.
Critical Impact
Attackers can craft OAuth flows that redirect authenticated users to external phishing or malware-hosting sites after successful login, enabling credential harvesting and social engineering attacks.
Affected Products
- @workos/authkit-session versions prior to 0.5.1
- Applications integrating WorkOS AuthKit via this session toolkit
- OAuth callback handlers using AuthService.handleCallback
Discovery Timeline
- 2026-05-11 - CVE-2026-42565 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42565
Vulnerability Analysis
The vulnerability is an open redirect classified under [CWE-601]. The handleCallback function in AuthService decodes the returnPathname value from the OAuth state parameter and returns it without validating origin or scheme. Because state is reflected back from the IdP, an attacker who initiates the OAuth flow can embed a fully qualified external URL or a protocol-relative path (//evil.com) as the return path. When the consuming application emits this value in a Location header, the browser navigates to the attacker-controlled destination. Exploitation requires user interaction in the form of clicking a crafted authorization link.
Root Cause
The root cause is missing input sanitization on the returnPathname value. The function trusted the decoded payload as a same-origin relative path without enforcing that the value begin with a single / or stripping smuggled hosts, schemes, backslashes, or whitespace characters. Protocol-relative URLs of the form //attacker.example were not normalized and were forwarded verbatim to redirect logic.
Attack Vector
An attacker constructs an OAuth authorization URL containing a malicious returnPathname inside the state parameter. The victim authenticates legitimately at the IdP. On callback, the application invokes handleCallback, which returns the attacker-controlled path. The application redirects the user to the external site, where credential theft or malware delivery can occur under the trust context of the original application.
// Patch in src/utils.ts - sanitizeReturnPathname implementation
/**
* Normalize an untrusted return-path candidate (e.g. decoded from OAuth
* state) to a same-origin relative URL. The returned value always begins
* with exactly one `/`, safe to emit directly as a `Location` header.
*/
export function sanitizeReturnPathname(
input: unknown,
fallback: string = '/',
): string {
for (const candidate of [input, fallback]) {
if (typeof candidate !== 'string' || candidate.length === 0) continue;
try {
const parsed = new URL(candidate, 'https://placeholder.invalid');
const path = '/' + parsed.pathname.replace(/^\/+/, '');
return `${path}${parsed.search}${parsed.hash}`;
} catch {
// Unparseable; try the next candidate.
}
}
return '/';
}
Source: GitHub Commit f56e1d6. The patch parses each candidate against a throwaway origin so the WHATWG URL parser strips smuggled hosts, schemes, and control characters, then normalizes the leading slash to defuse protocol-relative redirects.
Detection Methods for CVE-2026-42565
Indicators of Compromise
- OAuth callback requests where the decoded state.returnPathname contains absolute URLs, // prefixes, backslashes, or encoded control characters.
- HTTP 302 responses from the application with Location headers pointing to external domains following an authentication callback.
- Unusual referrer chains showing users transiting from the application's OAuth callback to unrelated external hosts.
Detection Strategies
- Inspect application logs for callback handlers returning returnPathname values that do not begin with a single / followed by a path character.
- Run software composition analysis against project manifests to flag installations of @workos/authkit-session below version 0.5.1.
- Add a web application firewall rule that decodes the OAuth state parameter and blocks requests containing external hosts in the embedded return path.
Monitoring Recommendations
- Alert on outbound redirects from authentication endpoints to domains outside an approved allowlist.
- Track callback latency and error rates after deploying the patched version to identify regressions.
- Correlate user reports of unexpected post-login navigation with callback URL telemetry.
How to Mitigate CVE-2026-42565
Immediate Actions Required
- Upgrade @workos/authkit-session to version 0.5.1 or later across all environments.
- Audit application code paths that consume the return value of AuthService.handleCallback and confirm none emit it directly into a Location header without validation.
- Rotate any session secrets if logs indicate active exploitation attempts against the callback endpoint.
Patch Information
The fix is published in version 0.5.1 of @workos/authkit-session. The patch introduces a sanitizeReturnPathname utility that parses the candidate value with the WHATWG URL parser against a throwaway origin, strips any smuggled host or scheme, and forces the result to begin with exactly one /. Details are available in the GitHub Security Advisory GHSA-vvvv-983w-r7pv and the v0.5.1 release notes.
Workarounds
- Wrap callback consumers with an application-level allowlist that rejects any returnPathname not matching ^/[^/\\].
- Disable the use of returnPathname entirely and redirect all post-login traffic to a fixed safe path until the upgrade is deployed.
- Configure a Content-Security-Policy with form-action 'self' and validate the Referer chain on sensitive endpoints to limit downstream abuse.
# Upgrade to the patched version
npm install @workos/authkit-session@0.5.1
# Verify the installed version
npm ls @workos/authkit-session
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
