js · nocodbHeads-up
NocoDB hashRedirect plugin rejects protocol-relative URLs to fix open redirect
The client-side hashRedirect plugin now rejects protocol-relative URLs (starting with //) to prevent open redirect attacks.
What changed
The client-side hashRedirect plugin now rejects protocol-relative URLs (starting with //) to prevent open redirect attacks.
Who it affects
All NocoDB instances using the affected plugin; users who may click crafted links with a hash fragment like //attacker.com/...
What to do today
Update NocoDB to the latest patched version that includes the fix rejecting protocol-relative hash paths.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb