Open Redirect Vulnerabilities Exposed in Codebase: Phishing Risk in Two Critical Files

A security audit has identified two open redirect vulnerabilities within a codebase, classified as a medium-severity risk. The flaws, present in two separate route files, allow user-controlled input to dictate redirect destinations without validation. This creates a direct vector for phishing attacks, where attackers could trick users into visiting malicious sites under the guise of legitimate application redirects.

The vulnerabilities are pinpointed in `app/routes/index.js` at line 72, where the code `return res.redirect(req.query.url);` directly passes a user-supplied query parameter to the redirect function. A second instance is found in `app/routes/session.js` at line 117, within a conditional redirect. The issue is formally categorized under CWE-601 and aligns with the OWASP Top 10's 'Broken Access Control' category, with an 80% confidence rating in the assessment.

These flaws represent a significant security oversight in access control. The primary risk is that an attacker could craft a URL containing the vulnerable parameter that redirects an authenticated user to a fraudulent website designed to steal credentials or deliver malware. The recommendation is to implement strict validation, such as a whitelist of permitted domains, for any redirect target. Relying on user input for critical navigation logic without sanitization leaves the application and its users exposed to social engineering and credential harvesting campaigns.