python · authlibHeads-up
Authlib OAuth 2.0 Authorization Endpoint Open Redirect Vulnerability
Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an
What changed
Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri.
Who it affects
Any deployment using Authlib's OAuth 2.0 authorization server and the documented authorization endpoint flow.
What to do today
Update to a patched version of Authlib once available, or apply a workaround such as validating redirect_uri before calling get_consent_grant.
The trail
Collected→
Audited→
Written→
Published